Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 18:41
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10-en-20210920
General
-
Target
vbc.exe
-
Size
238KB
-
MD5
8efc94a68d078ed67459403c868aa9f0
-
SHA1
64da6737b14dc11fb68fe4aef22981219ecbfd9f
-
SHA256
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
-
SHA512
5fd1f0fb7113d11e5ee7921581da43a4b04c2afeecca9fbd623cae5ef2b19955cd456fd7ac230eeab344e12e6452b780f616b90a00ccc1f1606a443a54f5a9f6
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 3456 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Program Files directory 53 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
vbc.exedescription pid process target process PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe PID 3456 wrote to memory of 3552 3456 vbc.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsaF7DF.tmp\edjaxef.dllMD5
91b963a246288264ddf484d3b69741a1
SHA115168c8dd766c2046f891e085e08fae5a368665d
SHA2568477871a37fc72bdc5eaec5d690e67421209e6fbeb3b6d278044de3686df650c
SHA51299fd9259be65abef388a7763cbd7b3de5252bcd3827a36bf970989a73e87b76c35cfab6bc6c035057b5e1a78f924585577ffb9f88500fc300ed727955de72652
-
memory/3552-119-0x0000000000000000-mapping.dmp
-
memory/3552-120-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB