darkvnc | 93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd

Analysis

max time kernel
121s
max time network
134s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8db50913eff9d4e600312d7c446b4a.exe
Size

691KB
MD5

ce8db50913eff9d4e600312d7c446b4a
SHA1

6ed1b7efb1acb82b5856824a66b0a70af319109f
SHA256

93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd
SHA512

74f979d6678ab68b6063b8497f37303d41c0f084ee198d0260fd90fc28aa8a1e1cc55a8bcd65cff7c05338bc93e23b33767efa1d0c8974a1a3039916835d05e4

Score

10^/10

darkvnc neshta redline runpe discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

runpe

142.202.242.172:7667

Signatures

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

Detect Neshta Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ab44-120.dat	family_neshta
behavioral2/files/0x000800000001ab44-121.dat	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5922_1640024838_6584.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2428-126-0x000002B96D5B0000-0x000002B96D5D0000-memory.dmp	family_redline

DarkVNC Payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x000800000001ab44-120.dat	darkvnc
behavioral2/files/0x000800000001ab44-121.dat	darkvnc
behavioral2/files/0x000200000001ab4e-123.dat	darkvnc
behavioral2/files/0x000200000001ab4e-124.dat	darkvnc
behavioral2/memory/1328-131-0x000001E39AA50000-0x000001E39AB1A000-memory.dmp	darkvnc

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2696	5922_1640024838_6584.exe
3972	5922_1640024838_6584.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3972 set thread context of 1328	3972	5922_1640024838_6584.exe	71

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	5922_1640024838_6584.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	5922_1640024838_6584.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	5922_1640024838_6584.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5922_1640024838_6584.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	ce8db50913eff9d4e600312d7c446b4a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3972	5922_1640024838_6584.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	ce8db50913eff9d4e600312d7c446b4a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2696	2428	ce8db50913eff9d4e600312d7c446b4a.exe	69
PID 2428 wrote to memory of 2696	2428	ce8db50913eff9d4e600312d7c446b4a.exe	69
PID 2428 wrote to memory of 2696	2428	ce8db50913eff9d4e600312d7c446b4a.exe	69
PID 2696 wrote to memory of 3972	2696	5922_1640024838_6584.exe	70
PID 2696 wrote to memory of 3972	2696	5922_1640024838_6584.exe	70
PID 2696 wrote to memory of 3972	2696	5922_1640024838_6584.exe	70
PID 3972 wrote to memory of 1328	3972	5922_1640024838_6584.exe	71
PID 3972 wrote to memory of 1328	3972	5922_1640024838_6584.exe	71
PID 3972 wrote to memory of 1328	3972	5922_1640024838_6584.exe	71
PID 3972 wrote to memory of 1328	3972	5922_1640024838_6584.exe	71
PID 3972 wrote to memory of 1328	3972	5922_1640024838_6584.exe	71

C:\Users\Admin\AppData\Local\Temp\ce8db50913eff9d4e600312d7c446b4a.exe
"C:\Users\Admin\AppData\Local\Temp\ce8db50913eff9d4e600312d7c446b4a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\ProgramData\5922_1640024838_6584.exe
  "C:\ProgramData\5922_1640024838_6584.exe"
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe
      4⤵
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-130-0x000001E39A830000-0x000001E39A831000-memory.dmp

Filesize
4KB

Download
memory/1328-131-0x000001E39AA50000-0x000001E39AB1A000-memory.dmp

Filesize
808KB

Download
memory/2428-128-0x000002B96D5F0000-0x000002B96D602000-memory.dmp

Filesize
72KB

Download
memory/2428-129-0x000002B96D650000-0x000002B96D68E000-memory.dmp

Filesize
248KB

Download
memory/2428-116-0x000002B96AE20000-0x000002B96AED2000-memory.dmp

Filesize
712KB

Download
memory/2428-115-0x000002B96AE20000-0x000002B96AED2000-memory.dmp

Filesize
712KB

Download
memory/2428-126-0x000002B96D5B0000-0x000002B96D5D0000-memory.dmp

Filesize
128KB

Download
memory/2428-127-0x000002B96D6E0000-0x000002B96D7EA000-memory.dmp

Filesize
1.0MB

Download
memory/2428-136-0x000002B96F3F0000-0x000002B96F916000-memory.dmp

Filesize
5.1MB

Download
memory/2428-117-0x000002B96B1D0000-0x000002B96B1F4000-memory.dmp

Filesize
144KB

Download
memory/2428-135-0x000002B96EAF0000-0x000002B96ECB2000-memory.dmp

Filesize
1.8MB

Download
memory/2428-118-0x000002B96CAC0000-0x000002B96CAC2000-memory.dmp

Filesize
8KB

Download
memory/2428-132-0x000002B96E7C0000-0x000002B96E836000-memory.dmp

Filesize
472KB

Download
memory/2428-133-0x000002B96D610000-0x000002B96D62E000-memory.dmp

Filesize
120KB

Download
memory/2428-134-0x000002B96E740000-0x000002B96E790000-memory.dmp

Filesize
320KB

Download