Analysis Overview
SHA256
a625100d55ce2671fe17784442c36fa6bae6ada85d516c2e3ac4509112d4c740
Threat Level: Known bad
The file RFQ 1107052020.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Snakebot family
Contains SnakeBOT related strings
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:14
Platform
win7v20201028
Max time kernel
148s
Max time network
150s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe" | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 756 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC0C0.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC469.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | www.google.com | udp |
| N/A | 172.217.20.100:443 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
Files
memory/668-46-0x000007FEF6AD0000-0x000007FEF6D4A000-memory.dmp
memory/1668-52-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1668-53-0x000000000041E792-mapping.dmp
memory/1668-54-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1668-55-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC0C0.tmp
| MD5 | fb80d0e19032b29c47d85d14f009fd97 |
| SHA1 | e1c6ce934402c7443cc1a923a15b99f3f734c915 |
| SHA256 | ae06bb533582078648bc61e560160bd222aa87ce0bf27eacd0988d04a3c34a97 |
| SHA512 | c0b5310625c03de2a15244324d8c5caf3cdebe7e53fd20c887285dce71e92249eb8a57997deaa6c2736ebeb9ff2d49ca21d3f8ef9aabe1fa947efc3c011767d3 |
memory/1976-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC469.tmp
| MD5 | 41808f05a9aa523d0ef506d4993f1d6c |
| SHA1 | 5a228145decf63ebbbd673c9b7c08a86236a22d4 |
| SHA256 | f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731 |
| SHA512 | 7cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:14
Platform
win10v20201028
Max time kernel
149s
Max time network
152s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\SMTP Manager\smtpmgr.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| File created | C:\Program Files (x86)\SMTP Manager\smtpmgr.exe | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7F86.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp818B.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 8.8.4.4:53 | sydney112.hopto.org | udp |
| N/A | 8.8.8.8:53 | sydney112.hopto.org | udp |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp | |
| N/A | 79.134.225.7:1007 | tcp |
Files
memory/3356-3-0x000000000041E792-mapping.dmp
memory/3356-2-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RFQ 1107052020.exe.log
| MD5 | 2ce1b56364fa233e3c3b24c1094c08ef |
| SHA1 | 6bd332829aebe567d7b2cb1fd9a82dfe1791052f |
| SHA256 | dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e |
| SHA512 | 5abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9 |
memory/3672-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F86.tmp
| MD5 | fb80d0e19032b29c47d85d14f009fd97 |
| SHA1 | e1c6ce934402c7443cc1a923a15b99f3f734c915 |
| SHA256 | ae06bb533582078648bc61e560160bd222aa87ce0bf27eacd0988d04a3c34a97 |
| SHA512 | c0b5310625c03de2a15244324d8c5caf3cdebe7e53fd20c887285dce71e92249eb8a57997deaa6c2736ebeb9ff2d49ca21d3f8ef9aabe1fa947efc3c011767d3 |
memory/1092-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp818B.tmp
| MD5 | b3b017f9df206021717a11f11d895402 |
| SHA1 | e4ea12823af6550ee634536eec1eb14490580a3b |
| SHA256 | 654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024 |
| SHA512 | 95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343 |