Analysis Overview
SHA256
246fb765947ed62ef616f5f714642ff0db639983582c0fa2cbab9ad251669b78
Threat Level: Known bad
The file FDA_certs.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Snakebot family
Contains SnakeBOT related strings
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:17
Platform
win7v20201028
Max time kernel
125s
Max time network
133s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe
"C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HXAjzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21D3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kmt.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | kmt-2.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | kmt.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | kmt-2.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
Files
memory/1760-115-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmp
memory/1928-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp21D3.tmp
| MD5 | 3e1859204b8ba4c248e4703e4b9c2b66 |
| SHA1 | d9d3ee93064dfce080010bc3bfe20708061a8acc |
| SHA256 | a54cdba41a97a1495eb87e2ba0179bddea6003f6f400588c07391e091f55255f |
| SHA512 | 36b0a6953ce754f4bd82735a68e0f6b43063b9ef14d242ce5fa4c829c1b516b1b10e185df2eb1231c294bbc1e4176a4afe8f9aa8e3d70200c440466e9e1c63fc |
memory/1972-118-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1972-119-0x000000000040FD88-mapping.dmp
memory/1972-120-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:17
Platform
win10v20201028
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4724 set thread context of 3212 | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe
"C:\Users\Admin\AppData\Local\Temp\FDA_certs.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HXAjzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | www.google.com | udp |
| N/A | 172.217.20.100:443 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | kmt.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | kmt-2.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 85.187.154.178:587 | tcp | |
| N/A | 8.8.8.8:53 | kmt.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | kmt-2.duckdns.org | udp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
| N/A | 192.169.69.25:3039 | kmt-2.duckdns.org | tcp |
Files
memory/4160-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp
| MD5 | a4bd966064b55755a36be1fd03eb731e |
| SHA1 | 2c62ca908bf6c44f0898cbc3e406be5122590061 |
| SHA256 | 9f7c343fd0ac869ed681dd3b1798bb1a081689d0350a4eeea4252e19b9d13411 |
| SHA512 | 624fbb372f2bf8c69bb5899221f1d4566a973ffc3afd6672c969d7869b946e85aae7bfbfcbcb08d9c122c3586be3b077b2ae09dc81922727a62eccec665d5089 |
memory/3212-4-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3212-5-0x000000000040FD88-mapping.dmp
memory/3212-6-0x0000000000400000-0x0000000000417000-memory.dmp