Malware Analysis Report

2024-09-22 16:46

Sample ID 211223-ks31eshdd6
Target 93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd
SHA256 93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd
Tags
darkvnc neshta redline runpe discovery infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd

Threat Level: Known bad

The file 93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd was found to be: Known bad.

Malicious Activity Summary

darkvnc neshta redline runpe discovery infostealer persistence rat spyware stealer

Neshta

Modifies system executable filetype association

DarkVNC

RedLine

Detect Neshta Payload

RedLine Payload

DarkVNC Payload

Executes dropped EXE

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2021-12-23 08:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-23 08:52

Reported

2021-12-23 08:55

Platform

win10-en-20211208

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe"

Signatures

DarkVNC

rat darkvnc

Detect Neshta Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\ProgramData\5922_1640024838_6584.exe N/A

Neshta

persistence spyware neshta

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A

DarkVNC Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\5922_1640024838_6584.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 420 set thread context of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\ProgramData\5922_1640024838_6584.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\ProgramData\5922_1640024838_6584.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\ProgramData\5922_1640024838_6584.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\ProgramData\5922_1640024838_6584.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe C:\ProgramData\5922_1640024838_6584.exe
PID 2608 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe C:\ProgramData\5922_1640024838_6584.exe
PID 2608 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe C:\ProgramData\5922_1640024838_6584.exe
PID 660 wrote to memory of 420 N/A C:\ProgramData\5922_1640024838_6584.exe C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
PID 660 wrote to memory of 420 N/A C:\ProgramData\5922_1640024838_6584.exe C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
PID 660 wrote to memory of 420 N/A C:\ProgramData\5922_1640024838_6584.exe C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe
PID 420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe
PID 420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe
PID 420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe
PID 420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe
PID 420 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe

"C:\Users\Admin\AppData\Local\Temp\93b96a1511a6f2084db207b831e3e072d8e5a4901592db660d456d10e5f618dd.exe"

C:\ProgramData\5922_1640024838_6584.exe

"C:\ProgramData\5922_1640024838_6584.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 data-file-data-7.com udp
HK 47.243.113.187:80 data-file-data-7.com tcp
HK 47.243.113.187:80 data-file-data-7.com tcp
US 23.83.133.126:80 tcp
US 23.83.133.126:80 tcp
US 142.202.242.172:7667 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
FR 2.18.105.186:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp
FR 2.18.105.186:80 tcp

Files

memory/2608-115-0x000001E9C8DB0000-0x000001E9C8E62000-memory.dmp

memory/2608-116-0x000001E9C8DB0000-0x000001E9C8E62000-memory.dmp

memory/2608-117-0x000001E9C9150000-0x000001E9C9174000-memory.dmp

memory/2608-118-0x000001E9E3450000-0x000001E9E3452000-memory.dmp

memory/660-119-0x0000000000000000-mapping.dmp

C:\ProgramData\5922_1640024838_6584.exe

MD5 fe9462599a08f62eb6d8035dd453fad7
SHA1 6fdf760e3768ab2797ccd271f59a48abb8b7a6bd
SHA256 0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55
SHA512 6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c

C:\ProgramData\5922_1640024838_6584.exe

MD5 fe9462599a08f62eb6d8035dd453fad7
SHA1 6fdf760e3768ab2797ccd271f59a48abb8b7a6bd
SHA256 0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55
SHA512 6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c

memory/420-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe

MD5 0ee2c60b8e99b5da3c495f1dd2861cd5
SHA1 0d040ef434e0db2679ce78ec8996895399cc2cf9
SHA256 1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87
SHA512 996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

C:\Users\Admin\AppData\Local\Temp\3582-490\5922_1640024838_6584.exe

MD5 0ee2c60b8e99b5da3c495f1dd2861cd5
SHA1 0d040ef434e0db2679ce78ec8996895399cc2cf9
SHA256 1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87
SHA512 996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

memory/1184-125-0x0000000000000000-mapping.dmp

memory/1184-127-0x000001F63BEF0000-0x000001F63BFBA000-memory.dmp

memory/1184-126-0x000001F63BD70000-0x000001F63BD99000-memory.dmp

memory/2608-128-0x000001E9E3420000-0x000001E9E3440000-memory.dmp

memory/2608-129-0x000001E9E3670000-0x000001E9E377A000-memory.dmp

memory/2608-130-0x000001E9E3580000-0x000001E9E3592000-memory.dmp

memory/2608-131-0x000001E9E35E0000-0x000001E9E361E000-memory.dmp

memory/2608-132-0x000001E9E3800000-0x000001E9E3876000-memory.dmp

memory/2608-133-0x000001E9E35A0000-0x000001E9E35BE000-memory.dmp

memory/2608-134-0x000001E9E3BB0000-0x000001E9E3D72000-memory.dmp

memory/2608-135-0x000001E9E42B0000-0x000001E9E47D6000-memory.dmp

memory/2608-136-0x000001E9E3452000-0x000001E9E3454000-memory.dmp

memory/2608-137-0x000001E9E3980000-0x000001E9E39D0000-memory.dmp