Analysis Overview
SHA256
8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30
Threat Level: Known bad
The file 8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 02:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 02:42
Reported
2024-11-11 02:45
Platform
win7-20241010-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2268 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2268 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2268 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe
"C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s21.filetransfer.io | udp |
| US | 172.67.200.96:443 | s21.filetransfer.io | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
Files
memory/2268-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2268-1-0x0000000001190000-0x00000000011FC000-memory.dmp
memory/2268-2-0x0000000000740000-0x0000000000746000-memory.dmp
memory/2268-3-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-4-0x000000001BB80000-0x000000001BC88000-memory.dmp
memory/2268-5-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-30-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-48-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-46-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-44-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-43-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-40-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-38-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-36-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-34-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-32-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-28-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-26-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-24-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-22-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-20-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-18-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-16-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-14-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-57-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-12-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-10-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-8-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-6-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-68-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-66-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-64-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-62-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-60-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-58-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-54-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-52-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-50-0x000000001BB80000-0x000000001BC82000-memory.dmp
memory/2268-1079-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2268-1080-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1081-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1082-0x000000001A740000-0x000000001A7BA000-memory.dmp
memory/2268-1083-0x0000000001140000-0x000000000118C000-memory.dmp
memory/2268-1084-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1085-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1086-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1087-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/2268-1088-0x000000001AB90000-0x000000001ABE4000-memory.dmp
memory/4592-1090-0x0000000000060000-0x0000000000088000-memory.dmp
memory/4592-1092-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/2268-1091-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1093-0x0000000000BF0000-0x0000000000C14000-memory.dmp
memory/4592-1094-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1095-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1096-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1097-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1098-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1099-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/4592-1100-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 02:42
Reported
2024-11-11 02:45
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
139s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 1260 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 1260 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe
"C:\Users\Admin\AppData\Local\Temp\8e5e8076989cd2a90eadfdc88923448bd798c483f65a0f0de39b21d4a5cfcc30.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 104.21.13.139:80 | filetransfer.io | tcp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s21.filetransfer.io | udp |
| US | 172.67.200.96:443 | s21.filetransfer.io | tcp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
Files
memory/1260-0-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/1260-1-0x000001EFDD290000-0x000001EFDD2FC000-memory.dmp
memory/1260-2-0x000001EFDD6E0000-0x000001EFDD6E6000-memory.dmp
memory/1260-3-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-4-0x000001EFF7A50000-0x000001EFF7B58000-memory.dmp
memory/1260-5-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-14-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-56-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-68-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-66-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-64-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-62-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-60-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-58-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-54-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-52-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-50-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-48-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-46-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-44-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-42-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-40-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-36-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-34-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-32-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-30-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-28-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-26-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-22-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-20-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-18-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-16-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-12-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-10-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-8-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-6-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-38-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-24-0x000001EFF7A50000-0x000001EFF7B52000-memory.dmp
memory/1260-1079-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1080-0x000001EFF7B60000-0x000001EFF7BDA000-memory.dmp
memory/1260-1081-0x000001EFF77B0000-0x000001EFF77FC000-memory.dmp
memory/1260-1084-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1086-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1087-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1088-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/1260-1089-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1090-0x000001EFF7BF0000-0x000001EFF7C44000-memory.dmp
memory/1260-1092-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/1260-1093-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3492-1094-0x0000021A64660000-0x0000021A64688000-memory.dmp
memory/3492-1095-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/3492-1096-0x0000021A662C0000-0x0000021A662E4000-memory.dmp
memory/3492-1097-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3492-1098-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3492-1099-0x00007FFC5D9F3000-0x00007FFC5D9F5000-memory.dmp
memory/3492-1100-0x00007FFC5D9F0000-0x00007FFC5E4B1000-memory.dmp
memory/3492-1101-0x0000021A7EAA0000-0x0000021A7EAF0000-memory.dmp
memory/3492-1102-0x0000021A7EF10000-0x0000021A7F0D2000-memory.dmp