Analysis Overview
SHA256
ed99bc8b8fe39945058527720e8cbc838e305706ad4598bc5ce7aaddf3572f46
Threat Level: Known bad
The file payment.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
outlook_office_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:08
Reported
2025-07-01 07:10
Platform
win10v2004-20250610-en
Max time kernel
105s
Max time network
135s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | C:\Users\Admin\AppData\Local\Temp\payment.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.96.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/2964-0-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2964-1-0x0000000005230000-0x00000000057D4000-memory.dmp
memory/2964-2-0x0000000004D60000-0x0000000004DF2000-memory.dmp
memory/2964-3-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2964-4-0x0000000004F30000-0x0000000004F3A000-memory.dmp
memory/2964-5-0x0000000005000000-0x000000000509C000-memory.dmp
memory/2964-6-0x0000000006780000-0x0000000006790000-memory.dmp
memory/2964-7-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2964-8-0x00000000060D0000-0x0000000006140000-memory.dmp
memory/3588-9-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/3588-12-0x0000000005340000-0x0000000005350000-memory.dmp
memory/3588-13-0x0000000005340000-0x0000000005350000-memory.dmp
memory/3588-14-0x00000000064D0000-0x0000000006520000-memory.dmp
memory/3588-15-0x00000000066F0000-0x00000000068B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 07:08
Reported
2025-07-01 07:10
Platform
win11-20250619-en
Max time kernel
101s
Max time network
116s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2768 set thread context of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | C:\Users\Admin\AppData\Local\Temp\payment.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\payment.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.64.1:443 | reallyfreegeoip.org | tcp |
Files
memory/2768-0-0x0000000000B10000-0x0000000000BA2000-memory.dmp
memory/2768-1-0x0000000005C00000-0x00000000061A6000-memory.dmp
memory/2768-2-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/2768-3-0x0000000005600000-0x0000000005610000-memory.dmp
memory/2768-4-0x0000000005670000-0x000000000567A000-memory.dmp
memory/2768-5-0x0000000005970000-0x0000000005A0C000-memory.dmp
memory/2768-6-0x0000000005920000-0x0000000005930000-memory.dmp
memory/2768-7-0x0000000005600000-0x0000000005610000-memory.dmp
memory/2768-8-0x00000000083D0000-0x0000000008440000-memory.dmp
memory/1964-9-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1964-11-0x0000000005A20000-0x0000000005A30000-memory.dmp
memory/1964-12-0x0000000006EC0000-0x0000000006F10000-memory.dmp
memory/1964-13-0x00000000070E0000-0x00000000072A2000-memory.dmp
memory/1964-14-0x0000000005A20000-0x0000000005A30000-memory.dmp