Analysis Overview
SHA256
eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46
Threat Level: Known bad
The file eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46 was found to be: Known bad.
Malicious Activity Summary
Snakebot family
Contains SnakeBOT related strings
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:15
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:15
Reported
2022-05-21 01:43
Platform
win10v2004-20220414-en
Max time kernel
123s
Max time network
156s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2944 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2944 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Products.exe
"C:\Users\Admin\AppData\Local\Temp\Products.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 8.8.8.8:53 | consent.google.com.br | udp |
| NL | 142.251.39.110:443 | consent.google.com.br | tcp |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | us2.smtp.mailhostbox.com | udp |
| US | 208.91.198.46:587 | us2.smtp.mailhostbox.com | tcp |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
memory/2944-130-0x0000000074BC0000-0x0000000075171000-memory.dmp
memory/1000-131-0x0000000000000000-mapping.dmp
memory/2944-132-0x000000000192A000-0x000000000192F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:15
Reported
2022-05-21 01:44
Platform
win7-20220414-en
Max time kernel
98s
Max time network
45s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1544 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1544 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1544 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1544 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\Products.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Products.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Products.exe
"C:\Users\Admin\AppData\Local\Temp\Products.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
Files
memory/1544-54-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1544-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1544-56-0x00000000021A9000-0x00000000021BA000-memory.dmp
memory/632-57-0x0000000000000000-mapping.dmp