Analysis Overview
SHA256
6b09f1cfc05625cdd9c328e7ac8c67ade7fcc234cd0631999d8996b54c3da722
Threat Level: Known bad
The file ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe was found to be: Known bad.
Malicious Activity Summary
CoreEntity .NET Packer
Snakebot family
AsyncRat
Contains SnakeBOT related strings
Async RAT payload
rezer0
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:13
Platform
win10v20201028
Max time kernel
149s
Max time network
148s
Command Line
Signatures
AsyncRat
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4636 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
"C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LDCESp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B06.tmp"
C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | www.google.com | udp |
| N/A | 172.217.20.100:443 | www.google.com | tcp |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp |
Files
memory/4636-0-0x0000000073D60000-0x000000007444E000-memory.dmp
memory/4636-1-0x0000000000060000-0x0000000000061000-memory.dmp
memory/4636-3-0x00000000072C0000-0x00000000072C1000-memory.dmp
memory/4636-4-0x0000000006E60000-0x0000000006E61000-memory.dmp
memory/4636-5-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
memory/4636-6-0x00000000043B0000-0x00000000043B3000-memory.dmp
memory/4636-7-0x000000000A930000-0x000000000A943000-memory.dmp
memory/4636-8-0x000000000AA00000-0x000000000AA01000-memory.dmp
memory/440-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5B06.tmp
| MD5 | 0d0ab56d8936ff894e452d51174369df |
| SHA1 | ea0949e92de9354fe94dec774aa48f6aa9b836f4 |
| SHA256 | abb6d4dadf1994d102bd92faf9986edc1f1d5f2ed788aae0b87221fc14023dee |
| SHA512 | 8a1da50c2ca6ede6c11fd5458e76e1752f59b48659b2f87377a0505c4778f7762a140dc3d3649e7a4a30d35d4942078014880aa6ce08c210def7c0e42c35e70c |
memory/2168-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2168-12-0x000000000040C60E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/2168-14-0x0000000073D60000-0x000000007444E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:13
Platform
win7v20201028
Max time kernel
148s
Max time network
148s
Command Line
Signatures
AsyncRat
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 364 set thread context of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
"C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LDCESp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp"
C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp | |
| N/A | 185.165.153.215:6606 | tcp |
Files
memory/364-0-0x0000000073F40000-0x000000007462E000-memory.dmp
memory/364-1-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2004-3-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp
memory/364-4-0x00000000004C0000-0x00000000004C3000-memory.dmp
memory/364-5-0x0000000000620000-0x0000000000633000-memory.dmp
memory/1732-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp
| MD5 | 460627dcd6f03bb6d1ba0bae0f5a876b |
| SHA1 | 17a54db5eaa44620dec26bd8bc8d381b5714eac3 |
| SHA256 | 0d1df856f46802538b9acd6481fc054985961acf5abfd1320f8a2bbaed3bb38d |
| SHA512 | 140fd40a675782f8e1fdcb1f062a6884c144ceefb3e1f3ca9fb587cebcef6a1ac634a2cd3ab38ec1898381d6c03267b7f75dd168f6ace436d1b5842eeae305ed |
memory/1352-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1352-9-0x000000000040C60E-mapping.dmp
memory/1352-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1352-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1352-12-0x0000000073F40000-0x000000007462E000-memory.dmp