Analysis Overview
SHA256
b79f1eca7af5422c327e48dea7abf27af357f48694e0940b01db680c5e5f58b0
Threat Level: Known bad
The file DB VIMEWORLD.txt was found to be: Known bad.
Malicious Activity Summary
Snakebot family
Contains SnakeBOT related strings
Modifies WinLogon to allow AutoLogon
JavaScript code in executable
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-23 17:20
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-23 17:19
Reported
2020-10-23 18:41
Platform
win10
Max time kernel
252s
Max time network
295s
Command Line
Signatures
Modifies WinLogon to allow AutoLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked | C:\Windows\system32\LogonUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DB VIMEWORLD.txt"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\928fbd9dfc5f4daa9ff42ed7007f214b /t 736 /p 732
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.88.36:443 | tcp | |
| N/A | 13.107.42.23:443 | tcp | |
| N/A | 52.109.8.21:443 | nexusrules.officeapps.live.com | tcp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/4064-0-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-1-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-2-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-3-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-4-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-5-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-6-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-7-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-8-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-9-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-10-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-11-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-12-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-13-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-14-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-15-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-16-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-17-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-18-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-19-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-20-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-21-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-22-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-23-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-24-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-25-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-26-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-27-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-28-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-29-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-30-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-31-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-32-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-33-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-34-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-35-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-36-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-37-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-38-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-40-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-39-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-41-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-42-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-43-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-45-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-46-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-47-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-48-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-49-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-50-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-44-0x00000256305A0000-0x00000256305A1000-memory.dmp
memory/4064-52-0x0000025630940000-0x0000025630941000-memory.dmp