Analysis Overview
SHA256
10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904
Threat Level: Known bad
The file TBL PAYMENT COPY.exe was found to be: Known bad.
Malicious Activity Summary
CoreEntity .NET Packer
Snakebot family
AgentTesla
AgentTesla Payload
Contains SnakeBOT related strings
rezer0
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:13
Platform
win7v20201028
Max time kernel
78s
Max time network
109s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 744 set thread context of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sxxFNU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
Files
memory/744-0-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/744-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
memory/1440-3-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp
memory/744-4-0x0000000000360000-0x0000000000363000-memory.dmp
memory/744-5-0x00000000073C0000-0x0000000007413000-memory.dmp
memory/1956-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp
| MD5 | 8d83d1b84313f3758f363f2c6b4f98b0 |
| SHA1 | 038d5c767f9c59e12ef2038c34871d584e60d8c5 |
| SHA256 | a7e4b354643d09ba5dd647d4f79bfa660d84f897c11e86e793e82a1e9e1444fa |
| SHA512 | 1f740297e41781cc0cdd391ef9d3796ce7c24fabbbc23fd9d78ae457c2084fe98c30cce99f7139cce46bc60cf726a69bbe629f3c9b058081cff2c737501e28af |
memory/1476-8-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1476-9-0x000000000044CA3E-mapping.dmp
memory/1476-10-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1476-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1476-12-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/1548-15-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:13
Platform
win10v20201028
Max time kernel
133s
Max time network
133s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 424 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sxxFNU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D75.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | www.google.com | udp |
| N/A | 172.217.20.100:443 | www.google.com | tcp |
Files
memory/424-0-0x0000000073D50000-0x000000007443E000-memory.dmp
memory/424-1-0x0000000000920000-0x0000000000921000-memory.dmp
memory/424-3-0x0000000007C00000-0x0000000007C01000-memory.dmp
memory/424-4-0x00000000077A0000-0x00000000077A1000-memory.dmp
memory/424-5-0x0000000005220000-0x0000000005221000-memory.dmp
memory/424-6-0x0000000002B60000-0x0000000002B63000-memory.dmp
memory/424-7-0x000000000AD60000-0x000000000ADB3000-memory.dmp
memory/424-8-0x000000000AE60000-0x000000000AE61000-memory.dmp
memory/3280-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6D75.tmp
| MD5 | 7a2c752e729ee231da18ee33cf3b4517 |
| SHA1 | 43881e48474b57f048c5dccb13149de418ea8998 |
| SHA256 | d36452787e6c11a04313a27bca5c13e6bd632d0c74afb1d3994e62cb4243441a |
| SHA512 | abcb2bd8ac4ca544224392f2a5a157fab54b396352cc9399df74bf73b4d083a3f209f79b999b1e1d252b4bdc4b5e03f8719fec13678cba032c13be4a75446f8b |
memory/2684-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2684-12-0x000000000044CA3E-mapping.dmp
memory/2684-13-0x0000000073D50000-0x000000007443E000-memory.dmp
memory/2684-18-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/2684-19-0x00000000064B0000-0x00000000064B1000-memory.dmp
memory/3820-20-0x0000000000000000-mapping.dmp