snakebot | c9ae7f8a79a27955d93c32f1b9fc3100496f4cdb6acfa848e80acabca6d1749f

Resubmissions

13-03-2023 06:29

230313-g841waah6v 10

13-03-2023 05:52

230313-gk2wlsgg73 10

13-03-2023 05:45

230313-gfsr5sgg57 7

Analysis

max time kernel
302s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
13-03-2023 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

120.1MB
MD5

5fb9b3c109ad471d0bc148329344e8ca
SHA1

21f2a06e7f83cb2886c16cafc20968f370fa2643
SHA256

c9ae7f8a79a27955d93c32f1b9fc3100496f4cdb6acfa848e80acabca6d1749f
SHA512

b50c9420e0709391be280b4f65be35bde9018388872c4ad675f104fd0093be22159a74b0d46b0d1c92043887824cb97464db452d422bcd339a1f3578b3f7456c
SSDEEP

1572864:uiM7DhczCaxWLABs8spKCFLme+A2akcvAYBkbKiD5DEeM9VCwQdUzk+:ulOCaELAO8WLiA2aTVkbKidc9IdUz/

Score

10^/10

snakebot discovery snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

Processes:

resource	yara_rule
C:\Program Files (x86)\Undertale\data.win	snakebot_strings

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\Undertale\steam_api.dll	acprotect
C:\Program Files (x86)\Undertale\steam_api.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

Setup.tmpUNDERTALE_1.001.exe

pid process

3920 Setup.tmp
4328 UNDERTALE_1.001.exe
Loads dropped DLL 2 IoCs

Processes:

UNDERTALE_1.001.exe

pid process

4328 UNDERTALE_1.001.exe
4328 UNDERTALE_1.001.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe

Drops file in Program Files directory 64 IoCs

Processes:

Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Undertale\is-SJESQ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-7E1NN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-BOPK3.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-M9JN1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-30K64.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-1V9S8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-A1U28.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-3HV07.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-4U6O1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-G0V5G.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-S2EGS.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-POEVJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PRLQQ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-UVQP0.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-VBSNN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PRMQR.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-3Q3H5.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-NPRN1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-N56JQ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-KR203.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-G3RFR.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-FF2MK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-OM7QU.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-LB0ER.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-FH76C.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-F1867.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-U6S4G.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-7HPT5.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-1FF61.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-3EMEV.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-HIU2D.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-C4CRJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-JSA8B.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-L6O2G.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-I3249.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-647DJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-7R8VE.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-JIMO1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-05SSK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-0EEME.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-28C1C.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-16CCE.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-MKK04.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-04I3D.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-UGTUC.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-4HIQU.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-D7TCK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-MTQTC.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-M8Q6T.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-QK6AO.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-32572.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-P8R3E.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-V8UQL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-3E06S.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-IU15D.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-IF58E.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-N35M8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-6E94I.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-TVKC1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-D4LVK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-LE2Q7.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Undertale\unins000.dat	Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-KL99C.tmp	Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Setup.tmpUNDERTALE_1.001.exe

pid	process
3920	Setup.tmp
3920	Setup.tmp
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe
4328	UNDERTALE_1.001.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UNDERTALE_1.001.exe

pid process

4328 UNDERTALE_1.001.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4872 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4872 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.tmp

pid process

3920 Setup.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UNDERTALE_1.001.exe

pid process

4328 UNDERTALE_1.001.exe

pid	process
4328	UNDERTALE_1.001.exe

description	pid	process
Token: 33	4872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4872	AUDIODG.EXE

pid	process
4328	UNDERTALE_1.001.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Setup.exeSetup.tmp

description	pid	process	target process
PID 1380 wrote to memory of 3920	1380	Setup.exe	Setup.tmp
PID 1380 wrote to memory of 3920	1380	Setup.exe	Setup.tmp
PID 1380 wrote to memory of 3920	1380	Setup.exe	Setup.tmp
PID 3920 wrote to memory of 4328	3920	Setup.tmp	UNDERTALE_1.001.exe
PID 3920 wrote to memory of 4328	3920	Setup.tmp	UNDERTALE_1.001.exe
PID 3920 wrote to memory of 4328	3920	Setup.tmp	UNDERTALE_1.001.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\is-QN567.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QN567.tmp\Setup.tmp" /SL5="$80046,124988605,836608,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3920

C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe
"C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Undertale\D3DX9_43.dll
Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe
Filesize
3.7MB

MD5
62adbbb61850a3883c15a29a0d08df86

SHA1
835a9f036668f592d49d790eb933d706097ddf01

SHA256
71663af422d47908711fca5d24b4244b9eef78e1f2a45214ee59b14712de5500

SHA512
a95b0afe81fd4535959da755f468672c8abd2215522ac324a156f47b3eed485b4589724ed9f51b3d78939afedf94d4afb9463ab256b54b2b5d65c7acc67359d3

Download Submit
C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe
Filesize
3.7MB

MD5
62adbbb61850a3883c15a29a0d08df86

SHA1
835a9f036668f592d49d790eb933d706097ddf01

SHA256
71663af422d47908711fca5d24b4244b9eef78e1f2a45214ee59b14712de5500

SHA512
a95b0afe81fd4535959da755f468672c8abd2215522ac324a156f47b3eed485b4589724ed9f51b3d78939afedf94d4afb9463ab256b54b2b5d65c7acc67359d3

Download Submit
C:\Program Files (x86)\Undertale\UNDERTALE_1.001.exe
Filesize
3.7MB

MD5
62adbbb61850a3883c15a29a0d08df86

SHA1
835a9f036668f592d49d790eb933d706097ddf01

SHA256
71663af422d47908711fca5d24b4244b9eef78e1f2a45214ee59b14712de5500

SHA512
a95b0afe81fd4535959da755f468672c8abd2215522ac324a156f47b3eed485b4589724ed9f51b3d78939afedf94d4afb9463ab256b54b2b5d65c7acc67359d3

Download Submit
C:\Program Files (x86)\Undertale\d3dx9_43.dll
Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Program Files (x86)\Undertale\data.win
Filesize
55.2MB

MD5
a7728805e9789cb1288e6d807aa46833

SHA1
9c07858aa3ea04319644cc246d04ffa2dd77323c

SHA256
36e4544d49fbba8f484cd1c629085d240139b54e07dab6a466f0dd36f1753e98

SHA512
f8f54db54d921eff62327733d8a4811dc1c0e5c0fd3b9c898a84cdfeba513ec8e9dde2a333ef411b0190106c80e0a2a1776dc927d3ad9e62d0b515999690237d

Download Submit
C:\Program Files (x86)\Undertale\mus_intronoise.ogg
Filesize
38KB

MD5
f851df4bc59e60e9be07e2ba413b44a0

SHA1
1004c711725031a7ed4b48fe9647cd03670d8385

SHA256
85dbde2ff5894d1942618b763e3d70af7d5c46c09da77ea772bbe93a858b70fd

SHA512
47f4a4e11eefd3f0fbae3a85125d82321a8a9b69d06cd5e3acc124f6a4909b4cfe36830a10a3020f04c58410913913de1ed4606b16c76d44198d6bb493bf73bc

Download Submit
C:\Program Files (x86)\Undertale\mus_story.ogg
Filesize
648KB

MD5
d616e0ef2ae212ae0717c1b3838d2cd6

SHA1
eec3f046a8ad007b8fca4cc843ad62db267a59bf

SHA256
65688e20f6a2fc02ad2736db1a7106289f5a6cde5114daa326f85b930fc73209

SHA512
777f61c394141e2f883897367ff5c984875b5bbb49f70c2153cc5d51566c8ce2f02aae3d963846644479486b96f8f0c07bcd9581b5b8fc43a50a5efbea9d5f62

Download Submit
C:\Program Files (x86)\Undertale\options.ini
Filesize
97B

MD5
396f73a1185a5642f5f1e2538b64396a

SHA1
d72d687a5a1258986f218bfccacc6118c39ec4f9

SHA256
e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58

SHA512
e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da

Download Submit
C:\Program Files (x86)\Undertale\splash.png
Filesize
893B

MD5
188cf6da0fd3f7ec3e1be7d6a2c38663

SHA1
17f12013c22612b58382ab7ef01da4a96036fb9a

SHA256
358239b9859b8b15135b8092ce1cf45473db83e0cbe50c632bcd2a510d41cd05

SHA512
4d60a961cd3f30d180f07fd894d74db0f730e93323338b112918c44719f2d2cc4b4b18803288fc0d047710840cbc78106fb3eb13a6249747b6d21fb7382fda45

Download Submit
C:\Program Files (x86)\Undertale\steam_api.dll
Filesize
251KB

MD5
23767288e6a003aaaa54355cbe108da8

SHA1
c7f21dc71491fe661c698f5c561405c0e3f423c1

SHA256
209135c082a8ef8323479384e97d769d9b2d98f727bbb34a7806ce150b750c89

SHA512
a870b2f99da48ad07f9b36d6730d74af5f285af12e21a24d61e6e3023d5917920bd343fe295b7374a2065bf9c09b6f1cbb03fbcf05206f4bd0544b5f0eb0e147

Download Submit
C:\Program Files (x86)\Undertale\steam_api.dll
Filesize
251KB

MD5
23767288e6a003aaaa54355cbe108da8

SHA1
c7f21dc71491fe661c698f5c561405c0e3f423c1

SHA256
209135c082a8ef8323479384e97d769d9b2d98f727bbb34a7806ce150b750c89

SHA512
a870b2f99da48ad07f9b36d6730d74af5f285af12e21a24d61e6e3023d5917920bd343fe295b7374a2065bf9c09b6f1cbb03fbcf05206f4bd0544b5f0eb0e147

Download Submit
C:\Program Files (x86)\Undertale\steam_emu.ini
Filesize
2KB

MD5
f98efa05e4c224bec6df0f38c1f41801

SHA1
b73f247e46657c5e78c410d7d5bef50dac8c172e

SHA256
303cfb51ad5a389296c7c86e4aea6d450276078d40d848df4a334e70d5b77885

SHA512
13bad72f40efb3ca91bc28490974af4a7a40c6da5b11ae2f277cc24def56c32b2f9381b09c11a028e5bd27966f88085eb98aebb6f81e7893efdd76bc3981cf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QN567.tmp\Setup.tmp
Filesize
2.5MB

MD5
d9bc11c23aa360311d6b237b23b0c4fd

SHA1
2f6bca0a9d09a1928f139a8a2e0cc872f4284fe7

SHA256
88e4053e376c6597edc6533584b2f2fa3905237fe5db61867e8ee71c3a9e9f5d

SHA512
732b217963e415fb272556731cf8503df431dbc450f6caf59b7c47804c650baebd33735d9fee18537bac37d639f4491a168351fa4b431457f62bae0e219de6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QN567.tmp\Setup.tmp
Filesize
2.5MB

MD5
d9bc11c23aa360311d6b237b23b0c4fd

SHA1
2f6bca0a9d09a1928f139a8a2e0cc872f4284fe7

SHA256
88e4053e376c6597edc6533584b2f2fa3905237fe5db61867e8ee71c3a9e9f5d

SHA512
732b217963e415fb272556731cf8503df431dbc450f6caf59b7c47804c650baebd33735d9fee18537bac37d639f4491a168351fa4b431457f62bae0e219de6fa

Download Submit
memory/1380-133-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1380-648-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1380-142-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3920-645-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/3920-138-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3920-583-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/3920-144-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3920-150-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/3920-173-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/3920-152-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/3920-143-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/4328-655-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4328-657-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download
memory/4328-659-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download
memory/4328-649-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download
memory/4328-666-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download
memory/4328-668-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download
memory/4328-670-0x0000000074190000-0x0000000074241000-memory.dmp

Filesize
708KB

Download