Analysis Overview
SHA256
9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89
Threat Level: Known bad
The file 9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89 was found to be: Known bad.
Malicious Activity Summary
Snakebot family
AgentTesla
Contains SnakeBOT related strings
Looks for VirtualBox Guest Additions in registry
AgentTesla Payload
Looks for VMWare Tools registry key
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Checks BIOS information in registry
Maps connected drives based on registry
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:21
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:21
Reported
2022-05-21 02:02
Platform
win10v2004-20220414-en
Max time kernel
75s
Max time network
143s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4452 set thread context of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPcnNesmP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BB.tmp"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| US | 93.184.220.29:80 | tcp | |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 8.8.8.8:53 | consent.google.com.br | udp |
| NL | 142.251.39.110:443 | consent.google.com.br | tcp |
| US | 20.44.10.122:443 | tcp | |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| NL | 8.248.7.254:80 | tcp | |
| NL | 8.248.7.254:80 | tcp |
Files
memory/4452-130-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/4420-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB2BB.tmp
| MD5 | da35df82786d298a891eebb4f2d99db8 |
| SHA1 | 9fd6198904a15f41d93445c5722296a5eddf08b2 |
| SHA256 | 655b63a1abbee4821274adb760a4390909115c20fdd05e56d699469f96ea5daf |
| SHA512 | 91fa3998b8de06dc1b70c154aef8e3be182aa71c03c26ef70ab19819c731cf7372fc35cdd2a474350040383b417698f87b56f3dd743fe857c4aa6187a8e9eb55 |
memory/1080-133-0x0000000000000000-mapping.dmp
memory/1080-134-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Order.exe.log
| MD5 | fa63f48f58ed4dfb0c496c113f0926c7 |
| SHA1 | 9d79155de350d586d815e7abf1c00696f4b22d3e |
| SHA256 | 9d670c5385c7a9ab57bf6790af6e13ce25637f05c96765b847b64f7a68a3c8db |
| SHA512 | 55a43eefd1592a4d821f539075b5db719c9ab86f360e357caf1a57a23971ce4c94a7afc61bdb35830df0fd474de340aa03e6396b5da8ec0a19d8a062ea07a66d |
memory/1080-136-0x0000000074F30000-0x00000000754E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:21
Reported
2022-05-21 02:02
Platform
win7-20220414-en
Max time kernel
94s
Max time network
51s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1512 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPcnNesmP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF883.tmp"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
Network
Files
memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmp
memory/1512-55-0x0000000074640000-0x0000000074BEB000-memory.dmp
memory/1512-56-0x0000000000219000-0x000000000022A000-memory.dmp
memory/2036-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF883.tmp
| MD5 | 4b32d7958f712ab94d9b190fe09dfc6d |
| SHA1 | 54660b796b02ce4b681a03812adde148ae70c162 |
| SHA256 | bfd463029bd56000f3c5bf09b25459f343cb9d4ec679794542ff539cdc132a81 |
| SHA512 | 782f0a9d7e30aebcc2da468c5d34fec076c914196a8e4c2f97871a32ca9acecbb78519501ed25027fc5f4fe7baa49f75ebc8a2b4837dce8048f771d2ae66a758 |
memory/1060-59-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-60-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-62-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-63-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-64-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-65-0x000000000044B99E-mapping.dmp
memory/1060-67-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-69-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1060-71-0x0000000074640000-0x0000000074BEB000-memory.dmp