snakekeylogger | d0ff1050e74986eb30da03e8de2b8d6d9300836849615521c40520def4916473

General

Target

03e0c87acbd555226e4510cb8e5034f5.exe
Size

1.5MB
MD5

03e0c87acbd555226e4510cb8e5034f5
SHA1

7cae7eb46c366fe9a9f72fadb91abe7386fd4d00
SHA256

d0ff1050e74986eb30da03e8de2b8d6d9300836849615521c40520def4916473
SHA512

0938dbe7d04914ab5888061e56065688acc3d0120f88e981a8f0639d994866d88643e84a41cf109347e2344c3dbc2baa5bcdd15f467f5048e77317f102306a20
SSDEEP

24576:1yhXW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+huR:o0iecHCNvP8EOShNQuiNB/e

Score

10^/10

snakekeylogger evasion keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.manavgatgida.com
Port:
587
Username:
[email protected]
Password:
shaco1234,
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/344-37-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/344-41-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/344-39-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/344-33-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/344-31-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 03e0c87acbd555226e4510cb8e5034f5.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 03e0c87acbd555226e4510cb8e5034f5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	03e0c87acbd555226e4510cb8e5034f5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	03e0c87acbd555226e4510cb8e5034f5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	03e0c87acbd555226e4510cb8e5034f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	03e0c87acbd555226e4510cb8e5034f5.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 freegeoip.app
4 checkip.dyndns.org
8 freegeoip.app

flow	ioc
9	freegeoip.app
4	checkip.dyndns.org
8	freegeoip.app

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	03e0c87acbd555226e4510cb8e5034f5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	03e0c87acbd555226e4510cb8e5034f5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description pid process target process

PID 1720 set thread context of 344 1720 03e0c87acbd555226e4510cb8e5034f5.exe 03e0c87acbd555226e4510cb8e5034f5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1188 344 WerFault.exe 03e0c87acbd555226e4510cb8e5034f5.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

792 schtasks.exe

description	pid	process	target process
PID 1720 set thread context of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe

pid	pid_target	process	target process
1188	344	WerFault.exe	03e0c87acbd555226e4510cb8e5034f5.exe

pid	process
792	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	03e0c87acbd555226e4510cb8e5034f5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	03e0c87acbd555226e4510cb8e5034f5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	03e0c87acbd555226e4510cb8e5034f5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	03e0c87acbd555226e4510cb8e5034f5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe03e0c87acbd555226e4510cb8e5034f5.exepowershell.exe

pid process

2512 powershell.exe
1164 powershell.exe
344 03e0c87acbd555226e4510cb8e5034f5.exe
2828 powershell.exe

pid	process
2512	powershell.exe
1164	powershell.exe
344	03e0c87acbd555226e4510cb8e5034f5.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

03e0c87acbd555226e4510cb8e5034f5.exepowershell.exepowershell.exe03e0c87acbd555226e4510cb8e5034f5.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1720	03e0c87acbd555226e4510cb8e5034f5.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	344	03e0c87acbd555226e4510cb8e5034f5.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

03e0c87acbd555226e4510cb8e5034f5.exe03e0c87acbd555226e4510cb8e5034f5.exe

description	pid	process	target process
PID 1720 wrote to memory of 2512	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2512	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2512	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2512	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 1164	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 1164	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 1164	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 1164	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 792	1720	03e0c87acbd555226e4510cb8e5034f5.exe	schtasks.exe
PID 1720 wrote to memory of 792	1720	03e0c87acbd555226e4510cb8e5034f5.exe	schtasks.exe
PID 1720 wrote to memory of 792	1720	03e0c87acbd555226e4510cb8e5034f5.exe	schtasks.exe
PID 1720 wrote to memory of 792	1720	03e0c87acbd555226e4510cb8e5034f5.exe	schtasks.exe
PID 1720 wrote to memory of 2828	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2828	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2828	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 2828	1720	03e0c87acbd555226e4510cb8e5034f5.exe	powershell.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 1720 wrote to memory of 344	1720	03e0c87acbd555226e4510cb8e5034f5.exe	03e0c87acbd555226e4510cb8e5034f5.exe
PID 344 wrote to memory of 1188	344	03e0c87acbd555226e4510cb8e5034f5.exe	WerFault.exe
PID 344 wrote to memory of 1188	344	03e0c87acbd555226e4510cb8e5034f5.exe	WerFault.exe
PID 344 wrote to memory of 1188	344	03e0c87acbd555226e4510cb8e5034f5.exe	WerFault.exe
PID 344 wrote to memory of 1188	344	03e0c87acbd555226e4510cb8e5034f5.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe
"C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JDuIzwmQvpoe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JDuIzwmQvpoe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3302.tmp"
2⤵
- Creates scheduled task(s)
PID:792

C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe
"C:\Users\Admin\AppData\Local\Temp\03e0c87acbd555226e4510cb8e5034f5.exe"
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1668
3⤵
- Program crash
PID:1188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JDuIzwmQvpoe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3302.tmp

Filesize
1KB

MD5
ab3fcf2238fef30d28c450e14d3a311c

SHA1
6a3c2de843152792188ada3d703054067652ba0e

SHA256
93f610eb120e68a9bf98524dea3f75dfd3318ae6e8a0fa9728d678d85e88c311

SHA512
eeb6a75a2ea985e7e1d15bdc445a19b71516206ebd99eca255ffc357687b1fa2dae94920cb4060ed8f00915d09867cace5e32ebcf3f630b590bb6f750b972c9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0N7JLHXHEWSQHZ9O64H.temp

Filesize
7KB

MD5
af47eb406dcbd2bb65a9b36971cf8a6d

SHA1
b37188fac6e38c1e41c0f0290b3791d66f9138c6

SHA256
faeead1e40c61c0bd39c1aeb6ff4673bcd1f31451fe8d645dbf5646e1bc53ffd

SHA512
6bd0e1038317a92dc49a3efc8a2e546dc6c227bd155d3a203c4c365c77b76e035c15cbdac51a92b5eb080e30c1a47c0ba42069fe3d0d340e0c8bfbb70a84c3a8

Download Submit
memory/344-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-43-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/344-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/344-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-45-0x00000000043A0000-0x00000000043E0000-memory.dmp

Filesize
256KB

Download
memory/344-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/344-71-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/344-72-0x00000000043A0000-0x00000000043E0000-memory.dmp

Filesize
256KB

Download
memory/344-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1164-25-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-24-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/1164-28-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-56-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-6-0x0000000000780000-0x00000000007E6000-memory.dmp

Filesize
408KB

Download
memory/1720-42-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-7-0x0000000000960000-0x0000000000986000-memory.dmp

Filesize
152KB

Download
memory/1720-5-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1720-4-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-3-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1720-2-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/1720-0-0x0000000000120000-0x00000000002A0000-memory.dmp

Filesize
1.5MB

Download
memory/2512-15-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-23-0x0000000002990000-0x00000000029D0000-memory.dmp

Filesize
256KB

Download
memory/2512-54-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-22-0x0000000002990000-0x00000000029D0000-memory.dmp

Filesize
256KB

Download
memory/2512-21-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-52-0x0000000001C50000-0x0000000001C90000-memory.dmp

Filesize
256KB

Download
memory/2828-51-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-53-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-55-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-50-0x0000000001C50000-0x0000000001C90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads