snakekeylogger | 839dd22c392ab35862cd5984c843292b9069dafef4a6b52c22fe958414c861a6

Analysis

max time kernel
124s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Size

3.5MB
MD5

ac9cbafc6040928f36391100b5e63fcc
SHA1

2d2957e0b078c2680f97b4f2e23edb1573b27a46
SHA256

839dd22c392ab35862cd5984c843292b9069dafef4a6b52c22fe958414c861a6
SHA512

ace5af9b925a3aec2ac54b8e0814b93c71cb244a8ef197a9cd4cd569e026e7125e7296c8ac254eada1f49002018c00f5568b3de38668e328219849f936c5dc44
SSDEEP

98304:enT0m9Lp46Ruq3OU/jIEeQfoR/IuOFVjUu5:ATB9dOq3FIF0wu

Score

10^/10

snakekeylogger collection discovery execution keylogger persistence spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6839394068:AAEgmde6OU-W-eNGJXPHD9JvEnnTtqhauBg/sendMessage?chat_id=6475103768

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 10 IoCs

resource	yara_rule
behavioral1/memory/2608-35-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/2608-34-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/900-54-0x0000000000DB0000-0x0000000000DD6000-memory.dmp	family_snakekeylogger
behavioral1/files/0x0008000000015e48-53.dat	family_snakekeylogger
behavioral1/memory/1688-92-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/1772-102-0x00000000003B0000-0x00000000003D6000-memory.dmp	family_snakekeylogger
behavioral1/memory/1688-191-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/1688-190-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/1688-193-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger
behavioral1/memory/1688-221-0x0000000000400000-0x00000000004E3000-memory.dmp	family_snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
2756	powershell.exe
1656	powershell.exe
1444	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
900	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
1816	Synaptics.exe
1688	Synaptics.exe
1772	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
1688	Synaptics.exe
1688	Synaptics.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 1816 set thread context of 1688	1816	Synaptics.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2996	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2208	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
2756	powershell.exe
2256	powershell.exe
2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
900	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
1816	Synaptics.exe
1656	powershell.exe
1444	powershell.exe
1816	Synaptics.exe
1772	._cache_Synaptics.exe
900	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
1772	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	900	._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	1816	Synaptics.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1772	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2256	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	31
PID 2532 wrote to memory of 2256	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	31
PID 2532 wrote to memory of 2256	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	31
PID 2532 wrote to memory of 2256	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	31
PID 2532 wrote to memory of 2756	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	33
PID 2532 wrote to memory of 2756	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	33
PID 2532 wrote to memory of 2756	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	33
PID 2532 wrote to memory of 2756	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	33
PID 2532 wrote to memory of 2820	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	34
PID 2532 wrote to memory of 2820	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	34
PID 2532 wrote to memory of 2820	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	34
PID 2532 wrote to memory of 2820	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	34
PID 2532 wrote to memory of 2864	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	37
PID 2532 wrote to memory of 2864	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	37
PID 2532 wrote to memory of 2864	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	37
PID 2532 wrote to memory of 2864	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	37
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2532 wrote to memory of 2608	2532	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	38
PID 2608 wrote to memory of 900	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	39
PID 2608 wrote to memory of 900	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	39
PID 2608 wrote to memory of 900	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	39
PID 2608 wrote to memory of 900	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	39
PID 2608 wrote to memory of 1816	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	40
PID 2608 wrote to memory of 1816	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	40
PID 2608 wrote to memory of 1816	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	40
PID 2608 wrote to memory of 1816	2608	2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe	40
PID 1816 wrote to memory of 1656	1816	Synaptics.exe	41
PID 1816 wrote to memory of 1656	1816	Synaptics.exe	41
PID 1816 wrote to memory of 1656	1816	Synaptics.exe	41
PID 1816 wrote to memory of 1656	1816	Synaptics.exe	41
PID 1816 wrote to memory of 1444	1816	Synaptics.exe	43
PID 1816 wrote to memory of 1444	1816	Synaptics.exe	43
PID 1816 wrote to memory of 1444	1816	Synaptics.exe	43
PID 1816 wrote to memory of 1444	1816	Synaptics.exe	43
PID 1816 wrote to memory of 2996	1816	Synaptics.exe	45
PID 1816 wrote to memory of 2996	1816	Synaptics.exe	45
PID 1816 wrote to memory of 2996	1816	Synaptics.exe	45
PID 1816 wrote to memory of 2996	1816	Synaptics.exe	45
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1816 wrote to memory of 1688	1816	Synaptics.exe	47
PID 1688 wrote to memory of 1772	1688	Synaptics.exe	48
PID 1688 wrote to memory of 1772	1688	Synaptics.exe	48
PID 1688 wrote to memory of 1772	1688	Synaptics.exe	48
PID 1688 wrote to memory of 1772	1688	Synaptics.exe	48

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WIbQCONN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WIbQCONN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe"
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WIbQCONN.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WIbQCONN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2996
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
ac9cbafc6040928f36391100b5e63fcc

SHA1
2d2957e0b078c2680f97b4f2e23edb1573b27a46

SHA256
839dd22c392ab35862cd5984c843292b9069dafef4a6b52c22fe958414c861a6

SHA512
ace5af9b925a3aec2ac54b8e0814b93c71cb244a8ef197a9cd4cd569e026e7125e7296c8ac254eada1f49002018c00f5568b3de38668e328219849f936c5dc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-24_ac9cbafc6040928f36391100b5e63fcc_avoslocker_hijackloader.exe

Filesize
131KB

MD5
f439b89b60148c517b26dd8cc059d024

SHA1
636d4e35ed0fee2c47fed39f2ff1f782db15e412

SHA256
5ded84d696ac92293f24e12dfea1e8e38e540405f76b02ab3dcba9b10493607a

SHA512
cdb2b8fa1377cb1a87ca67c4fe5c925fc0fff958eab22631e4e9ab18d793c789dca061c3e5226cb363f4e650153e7050c4df7fd3e04ba4e5fac0d6eb6e16e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp

Filesize
1KB

MD5
d70e70791e10327ee717184b3b831513

SHA1
a732e4a76a9b6ef2384b206a28080754e4e27813

SHA256
3560e896b7b4198492f7be5169f82b10622c98feeaf980586af65259141c59a4

SHA512
357b0ad6cbb4408f554a84b8b4f5392415f3625810059da3c510ccf207c2f7eb7660abc39e29b962e138f49c253026e96f6671e3f3fc8386ed1e6da70eba4620

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
21KB

MD5
b7794f78c842eb686a6a03894636371b

SHA1
12c4235ae54439b6284b838d04da13306278d6d0

SHA256
c7251c70c340c3276a285bbe254760da4bb800c245b9b49de24313c62c55ed23

SHA512
7578c90b5c99a083681a5b48c6c644a34a286a73bf05fe52af5d50df0ff587d9a65c9cd21b4a4b9e085cdd2dad056f64f62f795ada2186e357fa9bfc325b569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
25KB

MD5
21dff3f6d65c66a2ed2d214a4ba08feb

SHA1
f237404ab8192ae3ebf48cea000f091d4b73117c

SHA256
23f6bb1abb209ff40dbb010b395f47c3e404825f44fc950ca6a91a91a0b70715

SHA512
2de40f2bd4274aae784cc482f3132b1916c2c1d01a429a3bb62d6c20cf03944fbd2373ed6082f67feb168717deea0ee7fedeeb1b5593dafc46b27efa06e5579b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
23KB

MD5
e4d672c3ca27b8d2fbfbd46a31297bf4

SHA1
b2d77b790067e68fb789d3287c89dbaeb4a39b40

SHA256
624d990670c40476bc84342cc558003af930442ca1c507ac16dfc82ed119b1e9

SHA512
2cfb0f97328c87b6d3af025a81c8e7cc577f78be661cf54c7065d28060f2fbb7138e4a0a7f5be0218d3ce188759b9601ad2b71098c0701bf3f1972db979e6e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
21KB

MD5
7d65ce75eefb2fe5b1efc113c9535e57

SHA1
62d32762d490652c7c9b6249a669b558cb04dc7f

SHA256
895be7417760e7bc925d7f1ef7cfe36ee0a336421ac4bcf37adedf6ce28d402f

SHA512
a008be4d9d28a47038c57e224a2e7b8e262649b6f439ff1e5127675b064427589e58a8e0771b23876c7d58c2567317ade99c0028458d7d1880f3a7bee91e15a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuoyqdLb.xlsm

Filesize
26KB

MD5
596e2f67b071ec7c11336b79e32f4b92

SHA1
caac59cf6bf141bacaee7a09b0bbc7ad8e403297

SHA256
baf25065db3ef71e912ef6b3ed8f604b62e14f3e2ee82d3ba86b48a3a8442396

SHA512
c5d4406c082ccb09d19efa65d62b22d1e2cf8cf59b45a834226ce25a7ed58cf79761432d23319e8243562672e7c1885f91a6f640a4afce42b9870b1907ba51be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QTZIGUWFDMIOVD35J4QW.temp

Filesize
7KB

MD5
8d499bcd4a4d202212b8e84e80148a74

SHA1
a5fa7251fb418475a353671f3824d7605b6f3ac0

SHA256
a36166125dcf8e75cbf853dc4f7c3e2bbc8b9e083e10e8b2355e311396e3a52d

SHA512
223658949f7feb8eee7a1abdda4b4e4db2cb0923cf2c3bf2b461c38a096f0adedff67432681733bc8ec43ded2211477ba40d637c22d148e2e0d4e16d4ca16a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4501af693e8b9770bdce3b4155bd8abd

SHA1
489db1592954bb746e56f4c43956cb1b45e9d5fa

SHA256
238e6631080ccc0b6efa09a678060d45f924d83dce1966d8c1108992beba10d6

SHA512
babd102348175ec961e7d42d9e3e469a9e099403dc981c03303e471a0e024c5b8e0ca0124a8140fb44a927e16303887b2dd833609bf595ff8bbac68ab39fd21e

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/900-54-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

Filesize
152KB

Download
memory/1688-92-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1688-221-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1688-193-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1688-190-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1688-191-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1688-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1772-102-0x00000000003B0000-0x00000000003D6000-memory.dmp

Filesize
152KB

Download
memory/1816-61-0x0000000000F70000-0x00000000012F6000-memory.dmp

Filesize
3.5MB

Download
memory/2208-192-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2208-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2532-38-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-4-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000B50000-0x0000000000ED6000-memory.dmp

Filesize
3.5MB

Download
memory/2532-2-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-3-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2532-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2532-5-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-6-0x00000000082A0000-0x00000000083C6000-memory.dmp

Filesize
1.1MB

Download
memory/2608-21-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-35-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-31-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-34-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-24-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-19-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-27-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2608-29-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download