snakekeylogger | a580d66b0d0957cfb2c06d6ac3cfa1bc1965c94fcdc553f7580d3c5275f74b36

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mensajes en cuarentena.zip
Size

636KB
MD5

17efe4e64bf28bfb62ba67da84444d15
SHA1

9a5c1fb1145dfd5008ddbe4cdbb167525f2e11c5
SHA256

a580d66b0d0957cfb2c06d6ac3cfa1bc1965c94fcdc553f7580d3c5275f74b36
SHA512

a4d4bfcaead62bc535abe982799862dd8b342958b524e7d559c26f382ee1b71cc1ae00bdfcb7e65519be59e36a60ab42e4a34913cf35359af98fa72df33fd266
SSDEEP

12288:+ZGeuKUjt2oQqu6fX0iL5dQzbrGR4T3gD4pBtpRoD99El81arZk:+Z3s22Xv1m84A4rt3opaOsdk

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7854764352:AAGsvrx8n7ByYi4c9ksbK9NcQWi81dzmeE8/sendMessage?chat_id=7894030394

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/1248-240-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1248-238-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1248-236-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1248-233-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1248-231-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1648	powershell.exe
1244	powershell.exe
1844	powershell.exe
2100	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2328	FACTURAS 242110.exe
2572	FACTURAS 242110.exe
1248	FACTURAS 242110.exe
1480	FACTURAS 242110.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe
Key queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	checkip.dyndns.org

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
2700	verclsid.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 1248	2328	FACTURAS 242110.exe	53
PID 2572 set thread context of 1480	2572	FACTURAS 242110.exe	60

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURAS 242110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURAS 242110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURAS 242110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURAS 242110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ = "_FormNameRuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ = "ApplicationEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ = "_MailModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ = "_UserDefinedProperty"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ = "OlkDateControlEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ = "_OlkTimeZoneControl"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ = "_OlkInfoBar"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ = "_DRecipientControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CGMI0EW2\FACTURAS 242110.GZ:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CGMI0EW2\FACTURAS 242110 (2).GZ\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\Downloads\FACTURAS 242110.GZ\:Zone.Identifier:$DATA	OUTLOOK.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
596	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2808	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1248	FACTURAS 242110.exe
1244	powershell.exe
1844	powershell.exe
1248	FACTURAS 242110.exe
2100	powershell.exe
1480	FACTURAS 242110.exe
1648	powershell.exe
1480	FACTURAS 242110.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2808	OUTLOOK.EXE
1492	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1764	7zFM.exe
Token: 35	1764	7zFM.exe
Token: SeSecurityPrivilege	1764	7zFM.exe
Token: SeRestorePrivilege	2188	7zG.exe
Token: 35	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeSecurityPrivilege	2188	7zG.exe
Token: SeRestorePrivilege	1236	7zFM.exe
Token: 35	1236	7zFM.exe
Token: SeSecurityPrivilege	1236	7zFM.exe
Token: SeDebugPrivilege	1248	FACTURAS 242110.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1480	FACTURAS 242110.exe
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1764	7zFM.exe
1764	7zFM.exe
2808	OUTLOOK.EXE
2188	7zG.exe
1236	7zFM.exe
1236	7zFM.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE
2808	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1492	2392	rundll32.exe	39
PID 2392 wrote to memory of 1492	2392	rundll32.exe	39
PID 2392 wrote to memory of 1492	2392	rundll32.exe	39
PID 2328 wrote to memory of 1244	2328	FACTURAS 242110.exe	47
PID 2328 wrote to memory of 1244	2328	FACTURAS 242110.exe	47
PID 2328 wrote to memory of 1244	2328	FACTURAS 242110.exe	47
PID 2328 wrote to memory of 1244	2328	FACTURAS 242110.exe	47
PID 2328 wrote to memory of 1844	2328	FACTURAS 242110.exe	49
PID 2328 wrote to memory of 1844	2328	FACTURAS 242110.exe	49
PID 2328 wrote to memory of 1844	2328	FACTURAS 242110.exe	49
PID 2328 wrote to memory of 1844	2328	FACTURAS 242110.exe	49
PID 2328 wrote to memory of 3012	2328	FACTURAS 242110.exe	50
PID 2328 wrote to memory of 3012	2328	FACTURAS 242110.exe	50
PID 2328 wrote to memory of 3012	2328	FACTURAS 242110.exe	50
PID 2328 wrote to memory of 3012	2328	FACTURAS 242110.exe	50
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2328 wrote to memory of 1248	2328	FACTURAS 242110.exe	53
PID 2572 wrote to memory of 2100	2572	FACTURAS 242110.exe	54
PID 2572 wrote to memory of 2100	2572	FACTURAS 242110.exe	54
PID 2572 wrote to memory of 2100	2572	FACTURAS 242110.exe	54
PID 2572 wrote to memory of 2100	2572	FACTURAS 242110.exe	54
PID 2572 wrote to memory of 1648	2572	FACTURAS 242110.exe	56
PID 2572 wrote to memory of 1648	2572	FACTURAS 242110.exe	56
PID 2572 wrote to memory of 1648	2572	FACTURAS 242110.exe	56
PID 2572 wrote to memory of 1648	2572	FACTURAS 242110.exe	56
PID 2572 wrote to memory of 596	2572	FACTURAS 242110.exe	58
PID 2572 wrote to memory of 596	2572	FACTURAS 242110.exe	58
PID 2572 wrote to memory of 596	2572	FACTURAS 242110.exe	58
PID 2572 wrote to memory of 596	2572	FACTURAS 242110.exe	58
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60
PID 2572 wrote to memory of 1480	2572	FACTURAS 242110.exe	60

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURAS 242110.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mensajes en cuarentena.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1764

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\Admin\Desktop\1358e6bc-b4bc-4137-1abb-08dcf1ce0cdc\5d35cc85-5ee1-7491-3718-2a6b84dfde4e.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4126:86:7zEvent5728
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2188

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\FACTURAS 242110.GZ
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\FACTURAS 242110.GZ
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1492

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\FACTURAS 242110.GZ"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236

C:\Users\Admin\Desktop\FACTURAS 242110.exe
"C:\Users\Admin\Desktop\FACTURAS 242110.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\FACTURAS 242110.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SWQOKpt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWQOKpt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3012
- C:\Users\Admin\Desktop\FACTURAS 242110.exe
  "C:\Users\Admin\Desktop\FACTURAS 242110.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248

C:\Users\Admin\Desktop\FACTURAS 242110.exe
"C:\Users\Admin\Desktop\FACTURAS 242110.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\FACTURAS 242110.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SWQOKpt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWQOKpt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:596
- C:\Users\Admin\Desktop\FACTURAS 242110.exe
  "C:\Users\Admin\Desktop\FACTURAS 242110.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1480

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:2700

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
554b8c1352ebd1f01335f9a13e059859

SHA1
2e950d7cc7425363d7bf2f142669320833c40727

SHA256
7543a9d6b67dcce1405d3952a81254cbb0be25ab7d83a653cee34eb07b76dc94

SHA512
a0e6ab814664d3d77da2c081d5e11c40966ddca212cf00c4b2ffcf478623b79e80869a71ee9913052ffeb18d2d7fe2c2c9f63a2386c8b9c9caae3f2e53703afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
237168bc9e7f306f442b35dacf2bb15f

SHA1
774dd2d580ef76f870d5a350807fbffe8d2b16b1

SHA256
ac21519562040c99507b872de615d0a3f0155e5f988414357c7f47b49b101624

SHA512
08978618c0f93c4099d70ffedce6b183c450d86dc033f60be2aba09c708b35b1bb372601bd84a8ad31d7dc1d34ea57a501afb8995716330915871c9b47431bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
cc251b799c5f1a2b78203806012f7349

SHA1
c855815bd083a8b93883066305b83f2a26011370

SHA256
15cad9a3c6b5543329bec21f1ae880721940c1b0d322dcf5fd93f997973255b1

SHA512
72bc05fb27c341097318422af7247d824e94c4b00fbe4ecd826e1901b346c1374c5c5419b1c65d156bec2ec9fe6e88a5d563866089eaaa901be5758f767d6c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CGMI0EW2\FACTURAS 242110.GZ

Filesize
542KB

MD5
e997cb0dbd68837c1dd714c56aeb31c3

SHA1
1a5940c2c255833f00f2e3d402d92d8f72b4dd57

SHA256
27e0cb787fc25fd32e008cfd5d702faf0ef9a955634bd5a11cbb699ecd7c5a59

SHA512
9dd681beff3230ae02af651aa4e7b8dba09254acf0bf17ad159a371b5054ed1d3ce5a4de918abadf8c8222774b136e5c170c81213df3480517c749fa7b691c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp

Filesize
1KB

MD5
812676b600ca6bc5ca282055e707843a

SHA1
54c629217a0477f977652ca2a1959fcff78d7676

SHA256
53408853714b991e6b2657f56fcd9aa66f8dd1f9cb873cdc0c4a02f31a9b19ce

SHA512
0004f40ec26bce053bf97f61e9ee43db4555ce2f0437005de85d3e529c2f825db077fc318391d99ef7ca06bbeaf7221b5a84b7d4117d4ec971130e84b8c09b95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JWG3S2GDXGAX1OHPXPEG.temp

Filesize
7KB

MD5
00390d4723a16a4d3b215539aa62171f

SHA1
992c16b0000316f1a0c01ed5ac3476ba65c54bce

SHA256
c5ad6c4acb94d417bd5ec8d6f356a57a26965ca842eca1ca706c6b60bb2e86ff

SHA512
59715c46cadf0c1323bd9342369e668d6d5d54dabadaeb63d368b43973998a9571ca9d88af4c3d49c4b8477d136e8718913e2ffbe903270a6ba3c67b605232f9

Download Submit
C:\Users\Admin\Desktop\1358e6bc-b4bc-4137-1abb-08dcf1ce0cdc\5d35cc85-5ee1-7491-3718-2a6b84dfde4e.eml

Filesize
857KB

MD5
a372f413257f66ac4906d0298bde1115

SHA1
8deb41cda642b2e28eca7e9a4aa1b6a45828cf15

SHA256
3bf5e137c1a7795cc050617b1aed8cfe9d47976c7a5c1b265bb790d9281d3f3f

SHA512
84a5662f0035ca06f9958484f58e488b33dd815af2c15308a8346237d6872370c1997a4de1a16ef8fcb163391436eb0c766fcaef332df5bfb4eb35820d858963

Download Submit
C:\Users\Admin\Desktop\FACTURAS 242110.exe

Filesize
585KB

MD5
c194135acbddd64217e91593f17e72cc

SHA1
d43451ee1f84a3b3979ba8e9f0dd3da2fd5e8aa3

SHA256
248aa349d2a0aa5d99273786ecf840f51c199ce965333fc4e700b1eb1f1db3b0

SHA512
04274cab742f83e0fd1d9ec8d706a02610893495d0d9f5896eb87ec1169b897c81252b49d822f0caf431b10ff9aa31ddeefab0b3a4362ef96dc07306ca046aa8

Download Submit
C:\Users\Admin\Downloads\FACTURAS 242110.GZ:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1248-238-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-229-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-240-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-236-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-235-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-233-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-231-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-227-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1648-267-0x00000000057A0000-0x000000000582D000-memory.dmp

Filesize
564KB

Download
memory/2100-266-0x0000000005570000-0x00000000055FD000-memory.dmp

Filesize
564KB

Download
memory/2328-214-0x0000000004F50000-0x0000000004FB8000-memory.dmp

Filesize
416KB

Download
memory/2328-211-0x0000000001130000-0x00000000011C8000-memory.dmp

Filesize
608KB

Download
memory/2328-212-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2808-193-0x000000000ABE0000-0x000000000ABE2000-memory.dmp

Filesize
8KB

Download
memory/2808-2-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download