snakekeylogger | c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Size

692KB
MD5

f0683bb61a43a8dd7061dbd8ee3af88b
SHA1

c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA512

7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
SSDEEP

12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH

Score

10^/10

snakekeylogger evasion keylogger persistence stealer trojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.gkas.com.tr
Port:
587
Username:
[email protected]
Password:
Gkasteknik@2022

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2852-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2852-28-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2852-30-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2540 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2752 cmd.exe

pid	process
2540	svchost.exe

pid	process
2752	cmd.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2540 set thread context of 2852 2540 svchost.exe ServiceModelReg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2928 timeout.exe

description	pid	process	target process
PID 2540 set thread context of 2852	2540	svchost.exe	ServiceModelReg.exe

pid	process
2628	schtasks.exe

pid	process
2928	timeout.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403193918"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0cdd89049fcd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000758541137541e4f27ccb4342c275ce1ad1e70e92ae4c9f6884d3b7bf67471125000000000e8000000002000020000000abdd8d1356297b0ff9c3d997739a989f6ed23b652cb122626ee7f05e37b74ccc200000007f51e3b154b170bd6351664a86d0c5fadca1c0f70b2c5dd6350ae6eb73e3677c40000000280dc070a64ffe5683f63659e0485cd31772b9b7a995037b0c6d75e5be469d7590b399cc9db17046f92d2c575e410bc3c57be0d27733ad34dc2aa0cffbf6b97a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80E6E41-683C-11EE-B67D-FA088ABC2EB2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000c85bba906ed4ccece01ca184107d3d5b4d746997a36779f743e1dc51ff0f2443000000000e80000000020000200000001af1a62505b38a76d5b4bf35f9c2be5efad27c069c2acc3e13c8dc6a972a0ba790000000be3106d617dc75fb90a84de28ecd52fcab76cd0f1721e470043236bb74dd398ec03b168ed5d903070a57c68cba812cad927d4b44bd0fc716a7f758cd3276f528109bb59e266d1bbafae884298e707717ab491cbf731de06c7322b817458a89bab11db4a8c4914746bc57ca664d122e45596238dfdc54adad6e4f940dfed5fad321976eefdeb929705bcf341b669b3dcb40000000ce6b9084382506f659a50efdd1930e20d88ae73d98e2f8ad13a93dc4d9ef9355acde3afeb8b2eaab84ead2123cf85bb4d0497b565687db23e621aa067f76bf20	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exe

pid	process
2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2540	svchost.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Token: SeDebugPrivilege	2540	svchost.exe
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1028 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1028 iexplore.exe
1028 iexplore.exe
2480 IEXPLORE.EXE
2480 IEXPLORE.EXE
2480 IEXPLORE.EXE
2480 IEXPLORE.EXE

pid	process
1028	iexplore.exe

pid	process
1028	iexplore.exe
1028	iexplore.exe
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.execmd.execmd.exesvchost.exeServiceModelReg.exeiexplore.exe

description	pid	process	target process
PID 2120 wrote to memory of 2208	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2208	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2208	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2208	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2752	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2752	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2752	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2120 wrote to memory of 2752	2120	c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe	cmd.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	timeout.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	timeout.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	timeout.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	timeout.exe
PID 2208 wrote to memory of 2628	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2628	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2628	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2628	2208	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2540	2752	cmd.exe	svchost.exe
PID 2752 wrote to memory of 2540	2752	cmd.exe	svchost.exe
PID 2752 wrote to memory of 2540	2752	cmd.exe	svchost.exe
PID 2752 wrote to memory of 2540	2752	cmd.exe	svchost.exe
PID 2540 wrote to memory of 2164	2540	svchost.exe	powershell.exe
PID 2540 wrote to memory of 2164	2540	svchost.exe	powershell.exe
PID 2540 wrote to memory of 2164	2540	svchost.exe	powershell.exe
PID 2540 wrote to memory of 2164	2540	svchost.exe	powershell.exe
PID 2540 wrote to memory of 2624	2540	svchost.exe	ilasm.exe
PID 2540 wrote to memory of 2624	2540	svchost.exe	ilasm.exe
PID 2540 wrote to memory of 2624	2540	svchost.exe	ilasm.exe
PID 2540 wrote to memory of 2624	2540	svchost.exe	ilasm.exe
PID 2540 wrote to memory of 2836	2540	svchost.exe	ComSvcConfig.exe
PID 2540 wrote to memory of 2836	2540	svchost.exe	ComSvcConfig.exe
PID 2540 wrote to memory of 2836	2540	svchost.exe	ComSvcConfig.exe
PID 2540 wrote to memory of 2836	2540	svchost.exe	ComSvcConfig.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2540 wrote to memory of 2852	2540	svchost.exe	ServiceModelReg.exe
PID 2852 wrote to memory of 1028	2852	ServiceModelReg.exe	iexplore.exe
PID 2852 wrote to memory of 1028	2852	ServiceModelReg.exe	iexplore.exe
PID 2852 wrote to memory of 1028	2852	ServiceModelReg.exe	iexplore.exe
PID 2852 wrote to memory of 1028	2852	ServiceModelReg.exe	iexplore.exe
PID 1028 wrote to memory of 2480	1028	iexplore.exe	IEXPLORE.EXE
PID 1028 wrote to memory of 2480	1028	iexplore.exe	IEXPLORE.EXE
PID 1028 wrote to memory of 2480	1028	iexplore.exe	IEXPLORE.EXE
PID 1028 wrote to memory of 2480	1028	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
"C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2928

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
4⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
4⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
368ba43f19382c20e8c7647022bdd710

SHA1
1781489f23421bae18ea959983e28bc20e4ab729

SHA256
775e02024180288374d4551bfa476ace459e1f681eed28731058c51aafa75cb1

SHA512
95d6737aca0805155ae0f410120eb39660592735c85b344c35b6ceda892aee9f48e6f3dc733e5bcdf846346213914cc50e9c25a90bc295603437ea0c23898b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cf167b90a3932dc8ba9a60a76475bc1

SHA1
677d2355c8b83712a55fe7aaddbcd426668bf6ef

SHA256
d5a30cf271a77f459e7b8d8fb83533d5c693253f7e5f3f90e2094acd4c1271bd

SHA512
9c77290cbef8d07e0048554b67f5ee87fc665d039f5fb3f1b7ca9f0ac2c109f6851f2c055de2ce98654652a185a8619315845bf0494367fdd3689fc630a4de35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab19f6a8d82ef3dbe57f5b10bcb9d298

SHA1
d771378e648fa227a41bebdcac72bf707984296c

SHA256
e43c5c0a7d91d90240946c2d114e8163cdcd25a97822467d67d01eb9d8129e4e

SHA512
7448df6d134cc91a9716f2c038087dbdde4113bd24a161bbeb6818c9f8c5bcd90fa22c51db007b53942ca21e6f93e7adb97fe37b2fce8dac1fb00da19800b259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89e065936aea1c31bede71fd5e0b30d2

SHA1
c0e4fbe3094a0bf86f42530b2d15d5d3826615f4

SHA256
7df5a5bc545cdc3dea4dd12f4cfbbf43dd5a935b9bdfbd07cd038424dc00dadf

SHA512
13129fa5985c7333194760f3c9565e26024c637e4d54f0dcf0a02bae52d04ece5c685dcc9b5433aefff8a0cf923c79ef7e2e6371eed962bf1487b23cf8876c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d217fdc68fad4b7d3c6aa64f5aef33c1

SHA1
c4e4280609e6a09b6646604d796b0e120b8f8a90

SHA256
ccd6830c9e9299334409230f4a9976f423d7b5c7c7d7a48b8b595544945906cc

SHA512
ae5501e9ded2457e671661c4f79c6ae2d02ffddb4adfa690596846491a35906996c13f6f4b58374e09e2eafc3832ed28742772fe588017752674f80c9b725013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b555e0f9897af9b9a934f4fc91d7905

SHA1
644c4a5b10c0624fcda27f797d453127a89695f3

SHA256
512dd6e5d366ce691f817357975c0bfa99a32877ffeb300a005c79091f015302

SHA512
1022300696167076d6ec8949b044b3a28ab2b5288e179ee1be17fbc596d4e3a9e264b9729efcf76accf1155fafa3c9b01b711384efdd2799962e5e04623a873c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2eb0097b4463202c88669678c06d8143

SHA1
cda0213dbb8088aa67fd4e7f3bd13ca1ed092adc

SHA256
073f39c9a8bd7bc6f05cca42d74824892a16671f0935d3043f6e00dbed9e216c

SHA512
d731f7ba7b2dabdfee4609913225d4a6c7c1e2f0f2335b39c29409f0745d8ce11c582933b4751b23b3b9a7ce2b93490784d213878f51e545e18704c464746ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fa2028d30a29d7ea2685f6c3a56922b

SHA1
577353572689ca7f8d93ba0927950dd749b0e50c

SHA256
d8996aa6f903c809d3fb2d639612f22852194e7593b62fd62572653cb2c3efb6

SHA512
d0b8bdeaf94944ac561fee60bef8547520f7827fb815033f879568f12b5d5439e36b6511d7951a525dbd7a17c81ac407ed57f89880a6082a62715d946ca3e4a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66565f7c758f62a7378012bcf6af6af8

SHA1
a1ed22b2f651155a8a26b454ab7dd569622f9661

SHA256
b2ccd1b1971d56b94670d928eef72900362706cdafe951b877ed760c35ab600e

SHA512
34228170b5e6185e1e8c243deed0195ddf3f9778060256979ba71cbdf98012dee686b40128c6328fa9ee84b7748e87d6c080fd51c7135fcc610c076a1ed9864b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8305798b8b8e974366d1ffee309f6bbc

SHA1
dc30163be27aa43c538ea07ad9ac7db15a81f1a7

SHA256
a82e2a9604965fc1373513cbfc0e586fff9bd5a15d9598d1f4d3d08478dcc544

SHA512
500f44a7ff62c4c712d81254c923a87443938c3b01fad9c328423276520d166bb13d399eaa74b9272387b790a96bdc403685f5bdb822a990477eb4d428f88cf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
167a9b3d2a9c4cb840540836e3109d95

SHA1
701a6bb7fd6e37a9baf17e6139ca6876af8a2497

SHA256
5ccde8242eda758693cf9ac0b44f38fdc39af6887078fa615799955ff7020f34

SHA512
340594abb5dc714b29032b4f30f0a153ebd64f29c2764c93da2751dbca95928f2b540e6c6b6115ccf640265f9164d716c1c92ebe7490ccbd1dd5bf24aaf29ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e26e4e4f81af064e16bbe73a74a51d56

SHA1
e85b786ef429e3b05756678129d3595ea3c3473c

SHA256
5d7cbfc71819b07e687567998f35958844a5331b51783a28b5c63b09ca3f3087

SHA512
13ea186f28b251c1a820e850136b52f3f9d70e57e0c78650beb5b094e6df456677aa2b2d7e4323182da113a76ee3d93df2fc4704c3d45efd11f5f3ba2c068f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9c01b1857f489f56c2dc91754382787

SHA1
7aeecb4dd30749028ba9779292ebe4819b72fddf

SHA256
ebc1e22df8715d7593b620e3f5cf4f0bd6bdf3bd2bc2d86ee51fa986ccffa4dd

SHA512
8c871223224102506ae334d44f8dffe5fc24f39202fd5e28811d266bcdbe6928f0e2ad28796ad6deef6c5427dada3c00c572018d21d009fa8330df3a4da22a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7710b95c531a3d53765c31e13e393418

SHA1
8de97adb80a671238d030cf1db3780891786d161

SHA256
6990a74a98155a90ebb054fd5a9c000354734f3ff024a95ce01cb8a98ac6aa50

SHA512
40d2eb4502c36821dd72104bcba8c7d80a472b5419e365a31602512ce6fd9e6fb11d4785cc8fee2f113111a8f23509dd652db59f2d64ee2c83212f579ccccf6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b78718517c0e4d8b985a6e705bd6a78

SHA1
0387c6f8c8729110126674216386cc72ad35c0b7

SHA256
0735271d353076435b2d848b003cd5b07687ada8cfc1745345a6e07627b04a23

SHA512
cc97b1e79060d37ac99ed00e1aaae4170bd2f1b15d16728ae3387830b8fd0a6b97757e594dd7599e177509b1ce20ebb5f913bc7bd0f1206163960dce144e4798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6358d19cefade8fcaf37674a23d89790

SHA1
b58acd369317de88b1eec39be3a8682cabb2640c

SHA256
c5576e625b35bad4df68c6a40e6dd229ea044ce1ebd340aebfda049eba2e10bf

SHA512
add84301dac7613f725df03aa68433136e1ae5f0883232a38393ea35815a9002b424106861b088a4d34e8f82082a9bcd04b3b0056b86f79d84709686a07ea3fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc11609e40aba828de17610f819e8d2e

SHA1
27c2d99530b143e4de04eac6579ae915bb48a9ea

SHA256
17286fdeec6f2b6e83e82f2b9e9e28e090f79c47ffd6daef6184dd2bae5ba860

SHA512
e59329bcb58863464ca3fe04e753e288023ebb01cc7a720a52b28def7e73f27217d61a2a8e396b27cefd9fad7c74e500f08ea9c7f9c585fb7794460eca6cbe01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83d562e3a53d57076a4a58bc27d484b0

SHA1
454a15358a93b5b1a3d6b7948b752e535d87274e

SHA256
b06983b25c198a73eb871d690884ef97846fa05f949ae6c8d516d04f255bfe74

SHA512
42230ccf427560028840b5ddc9a2845a573c81678bf140e1bb1c3f1176ed6e8383b7418d4ce09f70f11ef87ecc1956b7def4e918f4ef95b82fed60dc042f56c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1737f2d7c69a56e894a78dcfeb4b759

SHA1
912d34a520ec2f6c22876b406aae2e0099f9cffa

SHA256
af9b2b249a6b38cef9f85454083174307a1260455f777312f28fac29a2f47286

SHA512
cccfb206ae9a7ddaec6d50cd1a527c72f213429399b8f28b70e050fbacb34deb66432a7b6d375cba873a5f2e83b05e035f1b53e1ca8193d146f6c66efb490fd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f16a19ffad972084f3e91def60cedf51

SHA1
0bb992e21d8298e7074e227426394713af714bad

SHA256
fcde8d6048c0787bf505f5ab2465aabd60731d9b64f2e07082b2fb712bac85c1

SHA512
afec05bc0ba655c51d7155a115f3f4afb2059bf3791295845016a42e9e3dba9b65ee77dcae55aa7b37e057dc962c78d652b7aabca794e7c55b3dc834877df3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab784D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78CE.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.bat

Filesize
151B

MD5
e253b76dc23a7effa9f8075b6ebf9fa4

SHA1
ea324d16665140e423c9c03a11fb2e19808b92c5

SHA256
d030cb28108704b68cebc791c55e6aac68e8048442d9a7b6f5a2decc051c9707

SHA512
3047312b5f1de650705b43709dd68432c269d8ac3a13c18446ec9e10d3e4433d0353742fd60400e77e42394dee423d0c4754d3f6effa5e2eef1fc36c57fa46dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E4.tmp.bat

Filesize
151B

MD5
e253b76dc23a7effa9f8075b6ebf9fa4

SHA1
ea324d16665140e423c9c03a11fb2e19808b92c5

SHA256
d030cb28108704b68cebc791c55e6aac68e8048442d9a7b6f5a2decc051c9707

SHA512
3047312b5f1de650705b43709dd68432c269d8ac3a13c18446ec9e10d3e4433d0353742fd60400e77e42394dee423d0c4754d3f6effa5e2eef1fc36c57fa46dd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
692KB

MD5
f0683bb61a43a8dd7061dbd8ee3af88b

SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989

SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
692KB

MD5
f0683bb61a43a8dd7061dbd8ee3af88b

SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989

SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
692KB

MD5
f0683bb61a43a8dd7061dbd8ee3af88b

SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989

SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff

SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7

Download Submit
memory/2120-0-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2120-14-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2120-4-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2120-3-0x0000000000820000-0x0000000000890000-memory.dmp

Filesize
448KB

Download
memory/2120-2-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2120-1-0x0000000000890000-0x0000000000942000-memory.dmp

Filesize
712KB

Download
memory/2164-33-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-39-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-34-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2164-32-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-20-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2540-23-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2540-22-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-31-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-21-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/2540-19-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-18-0x0000000000B70000-0x0000000000C22000-memory.dmp

Filesize
712KB

Download
memory/2852-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2852-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2852-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download