Analysis Overview
SHA256
3331e4358de7df247634699487afe492edf9af859cd588304ce9f0c6cb542cc3
Threat Level: Known bad
The file Siparis 02.08.023.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Snake Keylogger payload
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-02 06:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-02 06:21
Reported
2023-08-02 06:23
Platform
win7-20230712-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2584 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rBsecoizqPy.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBsecoizqPy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp"
C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
Files
memory/2584-54-0x00000000011A0000-0x0000000001246000-memory.dmp
memory/2584-55-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2584-56-0x0000000000F60000-0x0000000000FA0000-memory.dmp
memory/2584-57-0x0000000000410000-0x0000000000420000-memory.dmp
memory/2584-58-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2584-59-0x0000000000F60000-0x0000000000FA0000-memory.dmp
memory/2584-60-0x0000000000430000-0x000000000043A000-memory.dmp
memory/2584-61-0x0000000007E60000-0x0000000007EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp
| MD5 | a25aeed858435bfa9d3dfb2a3fcf3d3d |
| SHA1 | 6b346fd10916b0e7e6311a82af44ac6337cf6429 |
| SHA256 | 22bce8b7245dfadef9bd2e78a0babec5c9b00d18532022127789dedda2811a8b |
| SHA512 | 4a7973a175c0ef4c9504d2fb89e854e5ad437c8314f9b086b1f8e2d4ea9bf42cab54a1463708b5e25a445750356cb27fba06dccf91f586e5c092b31fe7a6783c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 250f8b20d966e4bf1fa8d10e96b0dff3 |
| SHA1 | 7b2983bba7dfe40ca219e224bbf3a01fe877ad60 |
| SHA256 | ff503e33aee4b837a363916753bf3bbaa151bd768beb5b182bc3e97e1ccd9281 |
| SHA512 | fa575b181db3da006e89f167ed47a34a35d993120d3e15278777398285e8a8df47e30272d6699d8ce3aa6f8543a068a5f6c19741476ac6202a9315f2bdeefac5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XRMOW1TN7ULII41URCOU.temp
| MD5 | 250f8b20d966e4bf1fa8d10e96b0dff3 |
| SHA1 | 7b2983bba7dfe40ca219e224bbf3a01fe877ad60 |
| SHA256 | ff503e33aee4b837a363916753bf3bbaa151bd768beb5b182bc3e97e1ccd9281 |
| SHA512 | fa575b181db3da006e89f167ed47a34a35d993120d3e15278777398285e8a8df47e30272d6699d8ce3aa6f8543a068a5f6c19741476ac6202a9315f2bdeefac5 |
memory/1868-74-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-76-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-77-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-78-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1868-81-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-83-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1868-86-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2584-85-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2148-87-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/2860-88-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/2148-89-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/2860-90-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/2860-91-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/2148-94-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/1868-96-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2860-97-0x00000000024E0000-0x0000000002520000-memory.dmp
memory/2860-95-0x00000000024E0000-0x0000000002520000-memory.dmp
memory/2148-93-0x0000000002790000-0x00000000027D0000-memory.dmp
memory/2148-92-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/1868-98-0x00000000731C0000-0x00000000738AE000-memory.dmp
memory/2860-100-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/2148-99-0x000000006F0D0000-0x000000006F67B000-memory.dmp
memory/1868-101-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/1868-102-0x00000000731C0000-0x00000000738AE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-02 06:21
Reported
2023-08-02 06:23
Platform
win10v2004-20230703-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2632 set thread context of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rBsecoizqPy.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBsecoizqPy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp966F.tmp"
C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/2632-133-0x0000000000C60000-0x0000000000D06000-memory.dmp
memory/2632-134-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/2632-135-0x0000000005C60000-0x0000000006204000-memory.dmp
memory/2632-136-0x00000000056B0000-0x0000000005742000-memory.dmp
memory/2632-137-0x0000000005680000-0x0000000005690000-memory.dmp
memory/2632-138-0x0000000005780000-0x000000000578A000-memory.dmp
memory/2632-139-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/2632-140-0x0000000005680000-0x0000000005690000-memory.dmp
memory/2632-141-0x0000000009470000-0x000000000950C000-memory.dmp
memory/4612-146-0x0000000000D20000-0x0000000000D56000-memory.dmp
memory/4612-147-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4612-149-0x0000000004C80000-0x00000000052A8000-memory.dmp
memory/4612-148-0x0000000000CC0000-0x0000000000CD0000-memory.dmp
memory/4612-150-0x0000000000CC0000-0x0000000000CD0000-memory.dmp
memory/4196-151-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4196-152-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/4196-153-0x00000000023D0000-0x00000000023E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp966F.tmp
| MD5 | a0640ec5bce918a9c49ac81187baec7b |
| SHA1 | 4eef02e9643d3943d81c8da1e7e3f7856834ea7d |
| SHA256 | 8e0bb1e5b5012a4ec071af2ffbac99573c655737ed658b26fe9a240f10f985ac |
| SHA512 | 1679f29a2f1a2164de903d19729f94a499c7a83a037ccf7a8b28e66976fee11574dfa0f99bf45087480e2400e94258d6cd7835b7d1b153d9941caaaf64becea6 |
memory/4612-155-0x0000000004AF0000-0x0000000004B12000-memory.dmp
memory/4612-156-0x0000000005360000-0x00000000053C6000-memory.dmp
memory/4612-157-0x0000000005480000-0x00000000054E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pugau1c0.zph.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3820-167-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3820-178-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/2632-179-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4196-180-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
memory/3820-181-0x0000000005570000-0x0000000005580000-memory.dmp
memory/4612-182-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4612-184-0x0000000000CC0000-0x0000000000CD0000-memory.dmp
memory/4196-183-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/4612-185-0x0000000000CC0000-0x0000000000CD0000-memory.dmp
memory/4612-186-0x0000000000CC0000-0x0000000000CD0000-memory.dmp
memory/4196-187-0x0000000006EB0000-0x0000000006EE2000-memory.dmp
memory/4612-188-0x0000000071980000-0x00000000719CC000-memory.dmp
memory/4196-189-0x0000000071980000-0x00000000719CC000-memory.dmp
memory/4196-200-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4612-199-0x0000000006080000-0x000000000609E000-memory.dmp
memory/4612-210-0x0000000007420000-0x0000000007A9A000-memory.dmp
memory/4612-211-0x0000000006DE0000-0x0000000006DFA000-memory.dmp
memory/4196-212-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/4612-213-0x0000000006E50000-0x0000000006E5A000-memory.dmp
memory/4612-214-0x0000000007060000-0x00000000070F6000-memory.dmp
memory/4196-215-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/4196-216-0x0000000007240000-0x000000000724E000-memory.dmp
memory/4196-217-0x0000000007350000-0x000000000736A000-memory.dmp
memory/4612-218-0x0000000007100000-0x0000000007108000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9705cc2e26833e536847128cb77248fc |
| SHA1 | e6ec4c08bae27621407d2eac17bb3849d4617851 |
| SHA256 | 568839032a5f7dd9de4fc313d7cf136a3e3ed8ce5826cc6fc4662ee877fc4127 |
| SHA512 | ce7740da98cbea75cec26f63f740b52cfc99c41f4a2ff59820edd85cf6587361ed132d622a21e00ac18c4c8749379b757f028dc948d32c8ef9a0aad34b5ee936 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4612-225-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/4196-226-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/3820-227-0x00000000752E0000-0x0000000075A90000-memory.dmp
memory/3820-228-0x0000000006610000-0x00000000067D2000-memory.dmp
memory/3820-229-0x0000000005570000-0x0000000005580000-memory.dmp