Analysis Overview
SHA256
38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12
Threat Level: Known bad
The file 38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12 was found to be: Known bad.
Malicious Activity Summary
Snakebot family
Contains SnakeBOT related strings
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Enumerates physical storage devices
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:29
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:29
Reported
2022-05-21 02:18
Platform
win7-20220414-en
Max time kernel
95s
Max time network
120s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1808 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1808 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1808 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 8.8.8.8:53 | consent.google.com.br | udp |
| NL | 142.251.39.110:443 | consent.google.com.br | tcp |
Files
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
memory/1808-55-0x0000000073F50000-0x00000000744FB000-memory.dmp
memory/1808-56-0x0000000000A29000-0x0000000000A3A000-memory.dmp
memory/1988-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:29
Reported
2022-05-21 02:18
Platform
win10v2004-20220414-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2832 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2832 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2832 wrote to memory of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | C:\Windows\SysWOW64\netsh.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 67.26.209.254:80 | tcp | |
| US | 8.252.118.254:80 | tcp | |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/2832-130-0x00000000750A0000-0x0000000075651000-memory.dmp
memory/5064-131-0x0000000000000000-mapping.dmp
memory/2832-132-0x00000000014FA000-0x00000000014FF000-memory.dmp