Analysis
-
max time kernel
119s -
max time network
614s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 13:17
Static task
static1
Behavioral task
behavioral1
Sample
vbc.bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
vbc.bin.exe
Resource
win10-en-20210920
General
-
Target
vbc.bin.exe
-
Size
234KB
-
MD5
781932d5e3cf1b9e902ee2ea8c48f572
-
SHA1
70a244d771d7cfa61b2fa3d2a0ac386ea2bf0393
-
SHA256
afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
-
SHA512
ba05f74a081a6e4fc12b4c00f388da141bdfa61074ecf379421cdcc72d6f546e6067e07877332e3456bf27a3b17d5549ade76b04cbf2de2753f39fbdf31082bc
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1880-116-0x0000000000000000-mapping.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.bin.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
vbc.bin.exepid process 1696 vbc.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
vbc.bin.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.bin.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.bin.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe vbc.bin.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe vbc.bin.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.bin.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe vbc.bin.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe vbc.bin.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe vbc.bin.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE vbc.bin.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.bin.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
vbc.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.bin.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
vbc.bin.exedescription pid process target process PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe PID 1696 wrote to memory of 1880 1696 vbc.bin.exe vbc.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nscD69B.tmp\azxcktqvoyc.dllMD5
26ffa4722b447fff084a239b44f7cac9
SHA139f7ad0bf15f3dcf6e67141108476abea370f7e3
SHA25677aba174986d7969103ae452fd1193ccb9dc495a4579fa4b7f2939e367b33121
SHA512118068c79e021899abeeb9a17e548b9887af536fc9b8a9a35358ef85980d31fc5192f989a4d5d1a3826c63882888cdc10ac3c5f3918a4172bbf547643ff75532
-
memory/1880-116-0x0000000000000000-mapping.dmp
-
memory/1880-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB