General
Target

fe9462599a08f62eb6d8035dd453fad7.exe

Filesize

579KB

Completed

23-12-2021 12:46

Task

behavioral1

Score
10/10
MD5

fe9462599a08f62eb6d8035dd453fad7

SHA1

6fdf760e3768ab2797ccd271f59a48abb8b7a6bd

SHA256

0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55

SHA256

6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c

Malware Config
Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • DarkVNC

    Description

    DarkVNC is a malicious version of the famous VNC software.

    Tags

  • Modifies system executable filetype association
    fe9462599a08f62eb6d8035dd453fad7.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"fe9462599a08f62eb6d8035dd453fad7.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • DarkVNC Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x0008000000012217-56.datdarkvnc
    behavioral1/files/0x0008000000012217-57.datdarkvnc
    behavioral1/files/0x0008000000012217-59.datdarkvnc
    behavioral1/memory/872-64-0x0000000001B40000-0x0000000001C0A000-memory.dmpdarkvnc
  • Executes dropped EXE
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    pidprocess
    520fe9462599a08f62eb6d8035dd453fad7.exe
  • Loads dropped DLL
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    pidprocess
    1908fe9462599a08f62eb6d8035dd453fad7.exe
    1908fe9462599a08f62eb6d8035dd453fad7.exe
    1908fe9462599a08f62eb6d8035dd453fad7.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 520 set thread context of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
  • Drops file in Program Files directory
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\OIS.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI4223~1\sidebar.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\BCSSync.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wab.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\PPTICO.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GRAPH.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSTORE.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\ImagingDevices.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\WMPDMC.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\WORDICON.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\XLICONS.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\WINWORD.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wabmig.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXEfe9462599a08f62eb6d8035dd453fad7.exe
  • Drops file in Windows directory
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comfe9462599a08f62eb6d8035dd453fad7.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"fe9462599a08f62eb6d8035dd453fad7.exe
  • Suspicious behavior: MapViewOfSection
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    pidprocess
    520fe9462599a08f62eb6d8035dd453fad7.exe
  • Suspicious use of WriteProcessMemory
    fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1908 wrote to memory of 5201908fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 1908 wrote to memory of 5201908fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 1908 wrote to memory of 5201908fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 1908 wrote to memory of 5201908fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 520 wrote to memory of 872520fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe"
    Modifies system executable filetype association
    Loads dropped DLL
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        PID:872
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe

                  MD5

                  0ee2c60b8e99b5da3c495f1dd2861cd5

                  SHA1

                  0d040ef434e0db2679ce78ec8996895399cc2cf9

                  SHA256

                  1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87

                  SHA512

                  996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

                • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                  MD5

                  9e2b9928c89a9d0da1d3e8f4bd96afa7

                  SHA1

                  ec66cda99f44b62470c6930e5afda061579cde35

                  SHA256

                  8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                  SHA512

                  2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

                • \Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe

                  MD5

                  0ee2c60b8e99b5da3c495f1dd2861cd5

                  SHA1

                  0d040ef434e0db2679ce78ec8996895399cc2cf9

                  SHA256

                  1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87

                  SHA512

                  996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

                • \Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe

                  MD5

                  0ee2c60b8e99b5da3c495f1dd2861cd5

                  SHA1

                  0d040ef434e0db2679ce78ec8996895399cc2cf9

                  SHA256

                  1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87

                  SHA512

                  996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

                • memory/520-58-0x0000000000000000-mapping.dmp

                • memory/872-62-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

                • memory/872-61-0x0000000000000000-mapping.dmp

                • memory/872-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

                • memory/872-64-0x0000000001B40000-0x0000000001C0A000-memory.dmp

                • memory/1908-55-0x0000000076731000-0x0000000076733000-memory.dmp