Malware Analysis Report

2024-10-19 08:26

Sample ID 201023-1nt6e6p87j
Target DB VIMEWORLD.txt
SHA256 b79f1eca7af5422c327e48dea7abf27af357f48694e0940b01db680c5e5f58b0
Tags
snakebot snakebot ransomware bootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b79f1eca7af5422c327e48dea7abf27af357f48694e0940b01db680c5e5f58b0

Threat Level: Known bad

The file DB VIMEWORLD.txt was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot ransomware bootkit

Snakebot family

Contains SnakeBOT related strings

Modifies WinLogon to allow AutoLogon

JavaScript code in executable

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-23 17:20

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-23 17:19

Reported

2020-10-23 18:41

Platform

win10

Max time kernel

252s

Max time network

295s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DB VIMEWORLD.txt"

Signatures

Modifies WinLogon to allow AutoLogon

ransomware bootkit
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked C:\Windows\system32\LogonUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DB VIMEWORLD.txt"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\928fbd9dfc5f4daa9ff42ed7007f214b /t 736 /p 732

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 52.109.88.36:443 tcp
N/A 13.107.42.23:443 tcp
N/A 52.109.8.21:443 nexusrules.officeapps.live.com tcp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/4064-0-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-1-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-2-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-3-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-4-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-5-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-6-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-7-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-8-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-9-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-10-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-11-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-12-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-13-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-14-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-15-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-16-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-17-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-18-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-19-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-20-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-21-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-22-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-23-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-24-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-25-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-26-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-27-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-28-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-29-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-30-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-31-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-32-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-33-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-34-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-35-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-36-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-37-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-38-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-40-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-39-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-41-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-42-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-43-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-45-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-46-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-47-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-48-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-49-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-50-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-44-0x00000256305A0000-0x00000256305A1000-memory.dmp

memory/4064-52-0x0000025630940000-0x0000025630941000-memory.dmp