Analysis Overview
SHA256
8a88d8c71eeff5031c0be922bad9639753a904fbf78536c0f8ac0619ae69d1b4
Threat Level: Known bad
The file PAGO 748844.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger payload
Snake Keylogger
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
outlook_office_path
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-20 07:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-20 07:03
Reported
2023-07-20 07:05
Platform
win7-20230712-en
Max time kernel
119s
Max time network
142s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2996 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
Files
memory/2996-54-0x0000000000260000-0x00000000002FA000-memory.dmp
memory/2996-55-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2996-56-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2996-57-0x0000000000540000-0x0000000000550000-memory.dmp
memory/2996-58-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2996-59-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2996-60-0x0000000000550000-0x000000000055A000-memory.dmp
memory/2996-61-0x0000000000740000-0x00000000007A0000-memory.dmp
memory/2828-62-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-63-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-64-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-65-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2828-68-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2996-72-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2828-70-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-73-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2828-74-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2828-75-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2828-76-0x0000000074120000-0x000000007480E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-20 07:03
Reported
2023-07-20 07:05
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4772 set thread context of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"
C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe
"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3824 -ip 3824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1496
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/4772-134-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/4772-133-0x0000000000040000-0x00000000000DA000-memory.dmp
memory/4772-135-0x0000000004F70000-0x0000000005514000-memory.dmp
memory/4772-136-0x00000000049C0000-0x0000000004A52000-memory.dmp
memory/4772-137-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4772-138-0x0000000004960000-0x000000000496A000-memory.dmp
memory/4772-139-0x0000000004D80000-0x0000000004F26000-memory.dmp
memory/4772-140-0x0000000004C70000-0x0000000004D0C000-memory.dmp
memory/4772-141-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/4772-142-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/3824-143-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAGO 748844.exe.log
| MD5 | 765cff098b629b1eb49e3ef981f7001a |
| SHA1 | 32b7ade1f746d013371141dcebd96e0bb3faeef3 |
| SHA256 | ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7 |
| SHA512 | ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474 |
memory/3824-146-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3824-147-0x0000000005240000-0x0000000005250000-memory.dmp
memory/4772-148-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3824-149-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3824-150-0x0000000005240000-0x0000000005250000-memory.dmp
memory/3824-151-0x0000000074790000-0x0000000074F40000-memory.dmp