Analysis Overview
SHA256
329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
Threat Level: Known bad
The file CONFIRMACION DEL PEDIDO CVE6535,PDF.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Snakebot family
CoreEntity .NET Packer
Contains SnakeBOT related strings
rezer0
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:05
Platform
win7v20201028
Max time kernel
151s
Max time network
139s
Command Line
Signatures
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1848 set thread context of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | thankyoulord.ddns.net | udp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
Files
memory/1848-0-0x00000000742C0000-0x00000000749AE000-memory.dmp
memory/1848-1-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/1984-3-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp
memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmp
memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmp
memory/1448-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp
| MD5 | 6f034f247ff434fdf03cbe467d528312 |
| SHA1 | 894bae0158a82ede3c4c8e48349d49f621cf9032 |
| SHA256 | 68a695d53c232920102c555e384bcbc6efc6eac421011b4ceaf9b30c2ce6fd7d |
| SHA512 | 43d86aab0e7e4565dad4abddc9a1645030fa2ab9c6a26359f7ed0d1354212fcae11ca535299eaecad6998b9c7a8a9fd3be0e6cea01cc3e5e78ba9707464b3fe1 |
memory/960-8-0x0000000000400000-0x0000000000420000-memory.dmp
memory/960-9-0x0000000000413A84-mapping.dmp
memory/960-10-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:06
Platform
win10v20201028
Max time kernel
151s
Max time network
132s
Command Line
Signatures
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2432 set thread context of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC058.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | thankyoulord.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp |
Files
memory/2432-0-0x0000000073970000-0x000000007405E000-memory.dmp
memory/2432-1-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/2432-3-0x00000000079C0000-0x00000000079C1000-memory.dmp
memory/2432-4-0x0000000007560000-0x0000000007561000-memory.dmp
memory/2432-5-0x0000000007520000-0x0000000007521000-memory.dmp
memory/2432-6-0x0000000002A80000-0x0000000002A83000-memory.dmp
memory/2432-7-0x000000000A9B0000-0x000000000A9D7000-memory.dmp
memory/2432-8-0x000000000AA80000-0x000000000AA81000-memory.dmp
memory/3948-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC058.tmp
| MD5 | e3b3df55dbac304978868a58e602b677 |
| SHA1 | 42ba13f72c8cba8665b9ebf43468b95a12358bed |
| SHA256 | 1c92fbfb17d3a5ad0a27e600b9137015a4e06f59571feea3f07bdd1f6e1566fe |
| SHA512 | 6a394c04557cbe460af948178454af43c4d31d8e8b0216f9778c9a0be3a9130e500fc7102b6aaaab9147d60bc4d78f5a48625c9923b2c10a05d7b55543c68a55 |
memory/3124-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3124-12-0x0000000000413A84-mapping.dmp
memory/3124-13-0x0000000000400000-0x0000000000420000-memory.dmp