Malware Analysis Report

2024-10-23 21:08

Sample ID 201109-ngl6x19bfj
Target invoices-docs-view.exe
SHA256 ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984
Tags
snakebot snakebot nanocore coreentity evasion keylogger persistence rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984

Threat Level: Known bad

The file invoices-docs-view.exe was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot nanocore coreentity evasion keylogger persistence rezer0 spyware stealer trojan

CoreEntity .NET Packer

Snakebot family

NanoCore

rezer0

Contains SnakeBOT related strings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:37

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:12

Platform

win7v20201028

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

NanoCore

keylogger trojan stealer spyware nanocore

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 344 set thread context of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 344 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 344 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IHVeunQQvXE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp"

C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

"{path}"

Network

Country Destination Domain Proto
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp

Files

memory/344-0-0x0000000073FF0000-0x00000000746DE000-memory.dmp

memory/344-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/344-3-0x00000000007D0000-0x0000000000812000-memory.dmp

memory/344-4-0x0000000001F30000-0x0000000001F41000-memory.dmp

memory/1220-6-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

memory/344-7-0x0000000001E60000-0x0000000001E63000-memory.dmp

memory/344-8-0x0000000004730000-0x000000000476A000-memory.dmp

memory/596-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp

MD5 4c04e06b6449c1cc6ceff060fdfc98de
SHA1 7bb9d719a81ccac642a2924a7a8bb204a5abe397
SHA256 5f582b2963f427f69881997296a8d122debf775a45ee89c7edf300eba9370731
SHA512 0e964906b687999b0549b6a82d403171bfb2574a5c73be978b342e66e6e07b9f6069c0883e4522cfc3d06d3d058aebaf8fa66fd849e155829a900fb3da8c888f

memory/1116-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1116-12-0x000000000041E792-mapping.dmp

memory/1116-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1116-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1116-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp

memory/1116-18-0x0000000000500000-0x0000000000505000-memory.dmp

memory/1116-19-0x0000000000510000-0x0000000000529000-memory.dmp

memory/1116-20-0x0000000000570000-0x0000000000573000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:12

Platform

win10v20201028

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

NanoCore

keylogger trojan stealer spyware nanocore

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
PID 648 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IHVeunQQvXE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp"

C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 www.google.com udp
N/A 172.217.20.100:443 www.google.com tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp
N/A 79.134.225.89:12190 tcp

Files

memory/648-0-0x00000000730E0000-0x00000000737CE000-memory.dmp

memory/648-1-0x0000000000790000-0x0000000000791000-memory.dmp

memory/648-3-0x0000000005200000-0x0000000005242000-memory.dmp

memory/648-4-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

memory/648-5-0x0000000007840000-0x0000000007841000-memory.dmp

memory/648-6-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/648-7-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/648-8-0x000000000A580000-0x000000000A583000-memory.dmp

memory/648-9-0x000000000AC10000-0x000000000AC4A000-memory.dmp

memory/648-10-0x000000000AE50000-0x000000000AE51000-memory.dmp

memory/184-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp

MD5 b9a58f017610dd4bce0952718d77756a
SHA1 d4a6005357c91c6b0865dd054039c074016c087d
SHA256 4a216290d2be3d6ebf0b02f6b31089e3b3ea550757b164cb9175caf6b30f5813
SHA512 a671224ae9c60b27678817c7b6568b4360b2c41bd3798a3afc20b70281bd10c2b38187aa5166dc3f73a0435de661a636dd42bdd64451d663e76a2c44721b1319

memory/1472-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1472-14-0x000000000041E792-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoices-docs-view.exe.log

MD5 b4f7a6a57cb46d94b72410eb6a6d45a9
SHA1 69f3596ffa027202d391444b769ceea0ae14c5f7
SHA256 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512 be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

memory/1472-16-0x00000000730E0000-0x00000000737CE000-memory.dmp

memory/1472-23-0x0000000005650000-0x0000000005655000-memory.dmp

memory/1472-24-0x0000000005CF0000-0x0000000005D09000-memory.dmp

memory/1472-25-0x0000000005F20000-0x0000000005F23000-memory.dmp