snakekeylogger | 8cc88e976519ff45e42429ef183692be7174a6d6bd9f7fe55eed03a00be1e1e2

General

Target

CAMSCANN.scr
Size

168KB
MD5

c04d39e4d40a1ea077e10d2d2b78d25d
SHA1

ce37dc7a55e6eb78a7310074136d7b87c44c85eb
SHA256

0ef0022fbc09c3770f6ef6268806a7baa2fbd1141cf43144196f9313cf6e2663
SHA512

eb41864e2763c1338b39b2617350b0d288a5cd6572a50be84b2b86515a0bc4674518c7fb7b8a0b8412328aea88d6942c3d975951d71c3062f33c46b78029ddea
SSDEEP

1536:Apka7KXz5hwQLrR27irlIPOTaAqglHPUstodIKdoUy:ApH7anbXR27iKj9gvmBy

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
behavioral1/memory/2428-81-0x000000013FE00000-0x000000013FE1C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2428-83-0x000000001B8C0000-0x000000001B940000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

day1.exe

pid process

2428 day1.exe
Loads dropped DLL 2 IoCs

Processes:

CAMSCANN.scrwhere.exe

pid process

2824 CAMSCANN.scr
928 where.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2824	CAMSCANN.scr
928	where.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

day1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	day1.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	day1.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	day1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org

flow	ioc
11	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

CAMSCANN.scrCAMSCANN.scrwhere.exe

description	pid	process	target process
PID 2824 set thread context of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 524 set thread context of 1412	524	CAMSCANN.scr	Explorer.EXE
PID 524 set thread context of 928	524	CAMSCANN.scr	where.exe
PID 928 set thread context of 1412	928	where.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

where.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-86725733-3001458681-3405935542-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	where.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

CAMSCANN.scr

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CAMSCANN.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CAMSCANN.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	CAMSCANN.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	CAMSCANN.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	CAMSCANN.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	CAMSCANN.scr

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

day1.exeCAMSCANN.scrwhere.exe

pid	process
2428	day1.exe
524	CAMSCANN.scr
524	CAMSCANN.scr
524	CAMSCANN.scr
2428	day1.exe
524	CAMSCANN.scr
524	CAMSCANN.scr
524	CAMSCANN.scr
524	CAMSCANN.scr
524	CAMSCANN.scr
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe
928	where.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CAMSCANN.scrExplorer.EXEwhere.exe

pid process

524 CAMSCANN.scr
1412 Explorer.EXE
1412 Explorer.EXE
928 where.exe
928 where.exe
928 where.exe
928 where.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CAMSCANN.scrday1.exe

description pid process

Token: SeDebugPrivilege 2824 CAMSCANN.scr
Token: SeDebugPrivilege 2428 day1.exe

pid	process
1412	Explorer.EXE

pid	process
524	CAMSCANN.scr
1412	Explorer.EXE
1412	Explorer.EXE
928	where.exe
928	where.exe
928	where.exe
928	where.exe

description	pid	process
Token: SeDebugPrivilege	2824	CAMSCANN.scr
Token: SeDebugPrivilege	2428	day1.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

CAMSCANN.scrExplorer.EXEwhere.exe

description	pid	process	target process
PID 2824 wrote to memory of 2428	2824	CAMSCANN.scr	day1.exe
PID 2824 wrote to memory of 2428	2824	CAMSCANN.scr	day1.exe
PID 2824 wrote to memory of 2428	2824	CAMSCANN.scr	day1.exe
PID 2824 wrote to memory of 2428	2824	CAMSCANN.scr	day1.exe
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 2824 wrote to memory of 524	2824	CAMSCANN.scr	CAMSCANN.scr
PID 1412 wrote to memory of 928	1412	Explorer.EXE	where.exe
PID 1412 wrote to memory of 928	1412	Explorer.EXE	where.exe
PID 1412 wrote to memory of 928	1412	Explorer.EXE	where.exe
PID 1412 wrote to memory of 928	1412	Explorer.EXE	where.exe
PID 928 wrote to memory of 824	928	where.exe	Firefox.exe
PID 928 wrote to memory of 824	928	where.exe	Firefox.exe
PID 928 wrote to memory of 824	928	where.exe	Firefox.exe
PID 928 wrote to memory of 824	928	where.exe	Firefox.exe
PID 928 wrote to memory of 824	928	where.exe	Firefox.exe

outlook_office_path 1 IoCs

Processes:

day1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	day1.exe

outlook_win_path 1 IoCs

Processes:

day1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	day1.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\CAMSCANN.scr
"C:\Users\Admin\AppData\Local\Temp\CAMSCANN.scr" /S
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\day1.exe
"C:\Users\Admin\AppData\Local\Temp\day1.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2428

C:\Users\Admin\AppData\Local\Temp\CAMSCANN.scr
C:\Users\Admin\AppData\Local\Temp\CAMSCANN.scr
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:524

C:\Windows\SysWOW64\where.exe
"C:\Windows\SysWOW64\where.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f8a0f3f8c70d740e7ab77fd048c5bb97

SHA1
c0484f6199b51aa4f550f81c9e205d9f5ad7062b

SHA256
6e3a121c93b4d5d25e3c033e559abef1293b7ebbfe359fd220d8da41dc267c0f

SHA512
40dcf87eb57f39ee353609682f4953c4fe2c9dbdda7d2c15db3e8bb355c39b596667e71e50bdd18e7d24176dc1fe0b2736339074b2084770393b8cabf8323524

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8825.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8886.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjylnt5.zip

Filesize
434KB

MD5
6366b1751087ba991f1b4188a3f38486

SHA1
449fab91dcd435e62a96dc4b400671ba0460a84a

SHA256
3102600d3ad67b0e3f132bc0f8e0e66d976ba3700c3cc96459b65a87fa57c373

SHA512
e1a8eb6dcfe0732299ccf74a0e61acbd132da4abac8aad996c2ba481328c0671530a55347f694f23a01a40e2343976196fc09fdd4573ab996a8a88d8e7693b90

Download Submit
\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
831KB

MD5
f4d8be409d1bd016a7b3b2580a2b90fb

SHA1
a68e1f6a9b2234f2269d9cf1fbda94124c428dbe

SHA256
d70b27121bb33012560b14a7bd597666d76193d7dc5f89e2ac5e7507240bf708

SHA512
9892cd38d77898fe7916a8810c82a377bbcb4f0c3f75a8295943fa29a5cb4daec95a1600a74614f31ec723967fd95721174042f2e54b12e52fe85202cdf052df

Download Submit
memory/524-84-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/524-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-95-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/524-73-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-75-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-91-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/524-89-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/928-97-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/928-96-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/928-144-0x0000000061E00000-0x0000000061EBD000-memory.dmp

Filesize
756KB

Download
memory/928-102-0x00000000007F0000-0x0000000000890000-memory.dmp

Filesize
640KB

Download
memory/928-99-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/928-92-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/928-93-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/928-98-0x00000000007F0000-0x0000000000890000-memory.dmp

Filesize
640KB

Download
memory/1412-103-0x00000000069B0000-0x0000000006AC1000-memory.dmp

Filesize
1.1MB

Download
memory/1412-101-0x00000000069B0000-0x0000000006AC1000-memory.dmp

Filesize
1.1MB

Download
memory/1412-100-0x00000000069B0000-0x0000000006AC1000-memory.dmp

Filesize
1.1MB

Download
memory/1412-90-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2428-81-0x000000013FE00000-0x000000013FE1C000-memory.dmp

Filesize
112KB

Download
memory/2428-82-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-87-0x000000001B8C0000-0x000000001B940000-memory.dmp

Filesize
512KB

Download
memory/2428-86-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-83-0x000000001B8C0000-0x000000001B940000-memory.dmp

Filesize
512KB

Download
memory/2824-65-0x0000000006550000-0x00000000065C0000-memory.dmp

Filesize
448KB

Download
memory/2824-66-0x00000000008C0000-0x000000000090C000-memory.dmp

Filesize
304KB

Download
memory/2824-64-0x0000000005DE0000-0x0000000005E62000-memory.dmp

Filesize
520KB

Download
memory/2824-80-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-0-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download
memory/2824-1-0x0000000000B70000-0x0000000000BA0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads