Analysis Overview
SHA256
93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd
Threat Level: Known bad
The file 93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd was found to be: Known bad.
Malicious Activity Summary
Neshta
Modifies system executable filetype association
DarkVNC
RedLine
Detect Neshta Payload
RedLine Payload
DarkVNC Payload
Executes dropped EXE
Downloads MZ/PE file
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-23 08:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-23 08:52
Reported
2021-12-23 08:55
Platform
win10-en-20211208
Max time kernel
143s
Max time network
146s
Command Line
Signatures
DarkVNC
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\ProgramData\5922_1640024838_6584.exe | N/A |
Neshta
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
DarkVNC Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 420 set thread context of 1184 | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe | C:\Windows\system32\WerFault.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\setup_wm.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpconfig.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmprph.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\WinMail.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmplayer.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpshare.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\ProgramData\5922_1640024838_6584.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\ProgramData\5922_1640024838_6584.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\ProgramData\5922_1640024838_6584.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\ProgramData\5922_1640024838_6584.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe
"C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe"
C:\ProgramData\5922_1640024838_6584.exe
"C:\ProgramData\5922_1640024838_6584.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | data-file-data-7.com | udp |
| HK | 47.243.113.187:80 | data-file-data-7.com | tcp |
| HK | 47.243.113.187:80 | data-file-data-7.com | tcp |
| US | 23.83.133.126:80 | tcp | |
| US | 23.83.133.126:80 | tcp | |
| US | 142.202.242.172:7667 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| FR | 2.18.105.186:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp | |
| FR | 2.18.105.186:80 | tcp |
Files
memory/2608-115-0x000001E9C8DB0000-0x000001E9C8E62000-memory.dmp
memory/2608-116-0x000001E9C8DB0000-0x000001E9C8E62000-memory.dmp
memory/2608-117-0x000001E9C9150000-0x000001E9C9174000-memory.dmp
memory/2608-118-0x000001E9E3450000-0x000001E9E3452000-memory.dmp
memory/660-119-0x0000000000000000-mapping.dmp
C:\ProgramData\5922_1640024838_6584.exe
| MD5 | fe9462599a08f62eb6d8035dd453fad7 |
| SHA1 | 6fdf760e3768ab2797ccd271f59a48abb8b7a6bd |
| SHA256 | 0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55 |
| SHA512 | 6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c |
C:\ProgramData\5922_1640024838_6584.exe
| MD5 | fe9462599a08f62eb6d8035dd453fad7 |
| SHA1 | 6fdf760e3768ab2797ccd271f59a48abb8b7a6bd |
| SHA256 | 0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55 |
| SHA512 | 6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c |
memory/420-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
| MD5 | 0ee2c60b8e99b5da3c495f1dd2861cd5 |
| SHA1 | 0d040ef434e0db2679ce78ec8996895399cc2cf9 |
| SHA256 | 1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87 |
| SHA512 | 996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005 |
C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
| MD5 | 0ee2c60b8e99b5da3c495f1dd2861cd5 |
| SHA1 | 0d040ef434e0db2679ce78ec8996895399cc2cf9 |
| SHA256 | 1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87 |
| SHA512 | 996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005 |
memory/1184-125-0x0000000000000000-mapping.dmp
memory/1184-127-0x000001F63BEF0000-0x000001F63BFBA000-memory.dmp
memory/1184-126-0x000001F63BD70000-0x000001F63BD99000-memory.dmp
memory/2608-128-0x000001E9E3420000-0x000001E9E3440000-memory.dmp
memory/2608-129-0x000001E9E3670000-0x000001E9E377A000-memory.dmp
memory/2608-130-0x000001E9E3580000-0x000001E9E3592000-memory.dmp
memory/2608-131-0x000001E9E35E0000-0x000001E9E361E000-memory.dmp
memory/2608-132-0x000001E9E3800000-0x000001E9E3876000-memory.dmp
memory/2608-133-0x000001E9E35A0000-0x000001E9E35BE000-memory.dmp
memory/2608-134-0x000001E9E3BB0000-0x000001E9E3D72000-memory.dmp
memory/2608-135-0x000001E9E42B0000-0x000001E9E47D6000-memory.dmp
memory/2608-136-0x000001E9E3452000-0x000001E9E3454000-memory.dmp
memory/2608-137-0x000001E9E3980000-0x000001E9E39D0000-memory.dmp