snakekeylogger | 759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
Size

1.2MB
MD5

f4c48bbe6cde1a682287a9753ded114c
SHA1

c8fdfaeb6ab3cbb81b4a67e1f42c55c0b9b37ae8
SHA256

759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef
SHA512

7102455b6983167366e5d8a72c3fcd219312c89ae1eba825014d08d9c18dbdf418b4187f3954957d9497634b30f840420cb7b5a841adcc6561b1fd3ba4e51f55
SSDEEP

24576:QqDEvCTbMWu7rQYlBQcBiT6rprG8aIw7u9tOtIjVnx4Zpsh:QTvC/MTQYxsWR7aI99tOtIjRa

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4580-47-0x0000000005090000-0x00000000050A0000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-45-0x0000000002A90000-0x0000000002ACA000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-50-0x00000000050E0000-0x0000000005118000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-52-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-54-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-51-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-56-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-58-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-60-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-62-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-64-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-66-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-68-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-70-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-74-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-72-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-76-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-78-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-80-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-82-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-94-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-92-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-96-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-90-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-100-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-98-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-102-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-88-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-106-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-104-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-110-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-108-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-86-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-84-0x00000000050E0000-0x0000000005113000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-640-0x0000000005090000-0x00000000050A0000-memory.dmp	family_snakekeylogger
behavioral2/memory/4580-645-0x0000000005090000-0x00000000050A0000-memory.dmp	family_snakekeylogger

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4580-45-0x0000000002A90000-0x0000000002ACA000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-50-0x00000000050E0000-0x0000000005118000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-52-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-54-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-51-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-56-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-58-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-60-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-62-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-64-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-66-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-68-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-70-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-74-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-72-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-76-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-78-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-80-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-82-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-94-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-92-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-96-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-90-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-100-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-98-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-102-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-88-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-106-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-104-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-110-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-108-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-86-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4580-84-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4580-45-0x0000000002A90000-0x0000000002ACA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-50-0x00000000050E0000-0x0000000005118000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-52-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-54-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-51-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-56-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-58-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-60-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-62-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-64-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-66-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-68-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-70-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-74-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-72-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-76-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-78-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-80-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-82-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-94-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-92-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-96-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-90-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-100-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-98-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-102-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-88-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-106-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-104-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-110-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-108-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-86-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/4580-84-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables with potential process hoocking 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4580-45-0x0000000002A90000-0x0000000002ACA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-50-0x00000000050E0000-0x0000000005118000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-52-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-54-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-51-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-56-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-58-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-60-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-62-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-64-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-66-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-68-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-70-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-74-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-72-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-76-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-78-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-80-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-82-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-94-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-92-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-96-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-90-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-100-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-98-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-102-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-88-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-106-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-104-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-110-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-108-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-86-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
behavioral2/memory/4580-84-0x00000000050E0000-0x0000000005113000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 2 IoCs

Processes:

name.exename.exe

pid process

4352 name.exe
5024 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
4352	name.exe
5024	name.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 checkip.dyndns.org

flow	ioc
24	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 5024 set thread context of 4580 5024 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4580 RegSvcs.exe
4580 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

name.exename.exe

pid process

4352 name.exe
5024 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4580 RegSvcs.exe

description	pid	process	target process
PID 5024 set thread context of 4580	5024	name.exe	RegSvcs.exe

pid	process
4580	RegSvcs.exe
4580	RegSvcs.exe

pid	process
4352	name.exe
5024	name.exe

description	pid	process
Token: SeDebugPrivilege	4580	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exename.exename.exe

pid	process
3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
4352	name.exe
4352	name.exe
5024	name.exe
5024	name.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exename.exename.exe

pid	process
3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
4352	name.exe
4352	name.exe
5024	name.exe
5024	name.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exename.exename.exe

description	pid	process	target process
PID 3972 wrote to memory of 4352	3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe	name.exe
PID 3972 wrote to memory of 4352	3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe	name.exe
PID 3972 wrote to memory of 4352	3972	759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe	name.exe
PID 4352 wrote to memory of 920	4352	name.exe	RegSvcs.exe
PID 4352 wrote to memory of 920	4352	name.exe	RegSvcs.exe
PID 4352 wrote to memory of 920	4352	name.exe	RegSvcs.exe
PID 4352 wrote to memory of 5024	4352	name.exe	name.exe
PID 4352 wrote to memory of 5024	4352	name.exe	name.exe
PID 4352 wrote to memory of 5024	4352	name.exe	name.exe
PID 5024 wrote to memory of 4580	5024	name.exe	RegSvcs.exe
PID 5024 wrote to memory of 4580	5024	name.exe	RegSvcs.exe
PID 5024 wrote to memory of 4580	5024	name.exe	RegSvcs.exe
PID 5024 wrote to memory of 4580	5024	name.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe
"C:\Users\Admin\AppData\Local\Temp\759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\759b8eeb19d732283ec91e12f01836653eb69f384fb2cab4072e67dcac4748ef.exe"
    3⤵
    PID:920
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut9673.tmp

Filesize
224KB

MD5
69f265b76616f1ebd2fea2383159d1d5

SHA1
1793d620ff21de7d330847f690315f62c36e4fa2

SHA256
338b5750c5364d706fe277c65dd0ed6a2588818bcb899a70cfc749e7f3e6311b

SHA512
d2425b28bd80f511dd7332869e45570e820c0943cf97711e92a8756f9161709fb480994ad99aa6196126756d125657997b6148780a01e8257533cd05c72f99f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9684.tmp

Filesize
9KB

MD5
dcdf3cfeda05cfc27c0b2bd0f778f224

SHA1
9d4f9401ead6d0156c5800250504d72231dfe632

SHA256
3aedfcf427627d9fa5979687fcb4d220539e54eeb4756f3409b01491afbda5a2

SHA512
660785a28292b588d2ac53bb36d7c7f116b59643aaec8d454a50047cc1313ce138203d8aa785b2b6aab3551283752311ebadc4b3118a450af73d181fe090ced3

Download Submit
C:\Users\Admin\AppData\Local\Temp\flexuoseness

Filesize
29KB

MD5
fc4f122ecc2dab569ae91a9b0443b2ef

SHA1
cda785611b96033085d6753d1c29c7e116bbe5f7

SHA256
703ce1ff569d222752520feb296a1f0d16f5eb0b22709b7135967d64ad07fa60

SHA512
614cc46d581b0f3b15ab7610e19d0e84c8a20d080a4682970d3f163e553fb8fe305211de13c7f910b35c878c241b54d1543d3b927f13da9756dae0db39b03048

Download Submit
C:\Users\Admin\AppData\Local\Temp\horrify

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\horrify

Filesize
224KB

MD5
fc08bdf2f36992f8cdb2f188710805b8

SHA1
10437e27f96b61e494e5788807819a15e2401187

SHA256
8bbb10084fbe292e3f09bd1113ee832028b1dad995f563e96c98a7da4433bef3

SHA512
e30f9ce9008c4c0003d225e3532040e10558ac90c0cf84b96672815cb52c2f4ee659f26acb287d50b65433e4f435bf9b24e16cea06f1fa9f5ff674e4f5cfaa3b

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
106.2MB

MD5
66545f575e99dd22778fb2e0d44bb726

SHA1
d61ac78fb650c3b00a69b5f250fe9b2f1c7c4935

SHA256
37e856954aea172217466399c708f5d0134ef37128bde28f6db657ac6096d3d2

SHA512
57ddb2c92cd400388f3bcf42f8d0587483b9bfd10bf4620842db7b3cf45e24a40c1e56c14d971aca3dce74b39102d993cd10535097020289a817f6891704f9ab

Download Submit
memory/3972-10-0x0000000001E60000-0x0000000001E64000-memory.dmp

Filesize
16KB

Download
memory/4580-76-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-94-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4580-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4580-46-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4580-47-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-45-0x0000000002A90000-0x0000000002ACA000-memory.dmp

Filesize
232KB

Download
memory/4580-48-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-49-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4580-50-0x00000000050E0000-0x0000000005118000-memory.dmp

Filesize
224KB

Download
memory/4580-52-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-54-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-51-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-56-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-58-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-60-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-62-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-64-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-66-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-68-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-70-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-74-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-72-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4580-78-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-80-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-82-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-42-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4580-92-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-96-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-90-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-100-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-98-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-102-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-88-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-106-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-104-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-110-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-108-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-86-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-84-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/4580-639-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/4580-640-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-641-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4580-642-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/4580-643-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-644-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-645-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-646-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4580-647-0x00000000063C0000-0x0000000006410000-memory.dmp

Filesize
320KB

Download
memory/4580-648-0x00000000065E0000-0x00000000067A2000-memory.dmp

Filesize
1.8MB

Download
memory/4580-649-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/4580-650-0x0000000006470000-0x000000000647A000-memory.dmp

Filesize
40KB

Download