Analysis Overview
SHA256
ef5b4a828d4322e2ca5681423488e03e9991191809fc068d80ce0bbeba792984
Threat Level: Known bad
The file invoices-docs-view.exe was found to be: Known bad.
Malicious Activity Summary
CoreEntity .NET Packer
Snakebot family
NanoCore
rezer0
Contains SnakeBOT related strings
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:12
Platform
win7v20201028
Max time kernel
147s
Max time network
152s
Command Line
Signatures
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NanoCore
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 344 set thread context of 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WPA Host\wpahost.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WPA Host\wpahost.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IHVeunQQvXE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp"
C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp |
Files
memory/344-0-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/344-1-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/344-3-0x00000000007D0000-0x0000000000812000-memory.dmp
memory/344-4-0x0000000001F30000-0x0000000001F41000-memory.dmp
memory/1220-6-0x000007FEF7590000-0x000007FEF780A000-memory.dmp
memory/344-7-0x0000000001E60000-0x0000000001E63000-memory.dmp
memory/344-8-0x0000000004730000-0x000000000476A000-memory.dmp
memory/596-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp
| MD5 | 4c04e06b6449c1cc6ceff060fdfc98de |
| SHA1 | 7bb9d719a81ccac642a2924a7a8bb204a5abe397 |
| SHA256 | 5f582b2963f427f69881997296a8d122debf775a45ee89c7edf300eba9370731 |
| SHA512 | 0e964906b687999b0549b6a82d403171bfb2574a5c73be978b342e66e6e07b9f6069c0883e4522cfc3d06d3d058aebaf8fa66fd849e155829a900fb3da8c888f |
memory/1116-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1116-12-0x000000000041E792-mapping.dmp
memory/1116-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1116-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1116-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/1116-18-0x0000000000500000-0x0000000000505000-memory.dmp
memory/1116-19-0x0000000000510000-0x0000000000529000-memory.dmp
memory/1116-20-0x0000000000570000-0x0000000000573000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:12
Platform
win10v20201028
Max time kernel
147s
Max time network
151s
Command Line
Signatures
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NanoCore
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 648 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SMTP Manager\smtpmgr.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SMTP Manager\smtpmgr.exe | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
"C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IHVeunQQvXE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp"
C:\Users\Admin\AppData\Local\Temp\invoices-docs-view.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | www.google.com | udp |
| N/A | 172.217.20.100:443 | www.google.com | tcp |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp | |
| N/A | 79.134.225.89:12190 | tcp |
Files
memory/648-0-0x00000000730E0000-0x00000000737CE000-memory.dmp
memory/648-1-0x0000000000790000-0x0000000000791000-memory.dmp
memory/648-3-0x0000000005200000-0x0000000005242000-memory.dmp
memory/648-4-0x0000000007CA0000-0x0000000007CA1000-memory.dmp
memory/648-5-0x0000000007840000-0x0000000007841000-memory.dmp
memory/648-6-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/648-7-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/648-8-0x000000000A580000-0x000000000A583000-memory.dmp
memory/648-9-0x000000000AC10000-0x000000000AC4A000-memory.dmp
memory/648-10-0x000000000AE50000-0x000000000AE51000-memory.dmp
memory/184-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8E2C.tmp
| MD5 | b9a58f017610dd4bce0952718d77756a |
| SHA1 | d4a6005357c91c6b0865dd054039c074016c087d |
| SHA256 | 4a216290d2be3d6ebf0b02f6b31089e3b3ea550757b164cb9175caf6b30f5813 |
| SHA512 | a671224ae9c60b27678817c7b6568b4360b2c41bd3798a3afc20b70281bd10c2b38187aa5166dc3f73a0435de661a636dd42bdd64451d663e76a2c44721b1319 |
memory/1472-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1472-14-0x000000000041E792-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoices-docs-view.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/1472-16-0x00000000730E0000-0x00000000737CE000-memory.dmp
memory/1472-23-0x0000000005650000-0x0000000005655000-memory.dmp
memory/1472-24-0x0000000005CF0000-0x0000000005D09000-memory.dmp
memory/1472-25-0x0000000005F20000-0x0000000005F23000-memory.dmp