General
Target

fe9462599a08f62eb6d8035dd453fad7.exe

Filesize

579KB

Completed

23-12-2021 12:46

Task

behavioral2

Score
10/10
MD5

fe9462599a08f62eb6d8035dd453fad7

SHA1

6fdf760e3768ab2797ccd271f59a48abb8b7a6bd

SHA256

0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55

SHA256

6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c

Malware Config
Signatures 13

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • DarkVNC

    Description

    DarkVNC is a malicious version of the famous VNC software.

    Tags

  • Modifies system executable filetype association
    fe9462599a08f62eb6d8035dd453fad7.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"fe9462599a08f62eb6d8035dd453fad7.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • DarkVNC Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000800000001ab43-116.datdarkvnc
    behavioral2/files/0x000800000001ab43-117.datdarkvnc
    behavioral2/memory/1156-120-0x00000240D8F40000-0x00000240D900A000-memory.dmpdarkvnc
  • Executes dropped EXE
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    pidprocess
    612fe9462599a08f62eb6d8035dd453fad7.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 612 set thread context of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
  • Drops file in Program Files directory
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\WinMail.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\wab.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.exefe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEfe9462599a08f62eb6d8035dd453fad7.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.exefe9462599a08f62eb6d8035dd453fad7.exe
  • Drops file in Windows directory
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comfe9462599a08f62eb6d8035dd453fad7.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"fe9462599a08f62eb6d8035dd453fad7.exe
  • Suspicious behavior: MapViewOfSection
    fe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    pidprocess
    612fe9462599a08f62eb6d8035dd453fad7.exe
  • Suspicious use of WriteProcessMemory
    fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3160 wrote to memory of 6123160fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 3160 wrote to memory of 6123160fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 3160 wrote to memory of 6123160fe9462599a08f62eb6d8035dd453fad7.exefe9462599a08f62eb6d8035dd453fad7.exe
    PID 612 wrote to memory of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 612 wrote to memory of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 612 wrote to memory of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 612 wrote to memory of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
    PID 612 wrote to memory of 1156612fe9462599a08f62eb6d8035dd453fad7.exeWerFault.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe"
    Modifies system executable filetype association
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        PID:1156
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe

                  MD5

                  0ee2c60b8e99b5da3c495f1dd2861cd5

                  SHA1

                  0d040ef434e0db2679ce78ec8996895399cc2cf9

                  SHA256

                  1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87

                  SHA512

                  996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

                • C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe

                  MD5

                  0ee2c60b8e99b5da3c495f1dd2861cd5

                  SHA1

                  0d040ef434e0db2679ce78ec8996895399cc2cf9

                  SHA256

                  1ca91e55867ad256da14a7b0c5679e94395da033e87aab24c9a9187963829a87

                  SHA512

                  996ae9cc73b2aee3049975c757210724b838e959fd79c811b80ea1b0c23a6949e40805f62a77a66400ae5e1b3d5d97dc0af28b8ff474794068efa43a6f4e9005

                • memory/612-115-0x0000000000000000-mapping.dmp

                • memory/1156-118-0x0000000000000000-mapping.dmp

                • memory/1156-119-0x00000240D8CE0000-0x00000240D8D09000-memory.dmp

                • memory/1156-120-0x00000240D8F40000-0x00000240D900A000-memory.dmp