Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 12:44
Behavioral task
behavioral1
Sample
fe9462599a08f62eb6d8035dd453fad7.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
fe9462599a08f62eb6d8035dd453fad7.exe
-
Size
579KB
-
MD5
fe9462599a08f62eb6d8035dd453fad7
-
SHA1
6fdf760e3768ab2797ccd271f59a48abb8b7a6bd
-
SHA256
0531cae688e34d09b9a7da4e5f50cedaf854d47e7d15eae958cd569a1ecf0b55
-
SHA512
6de9d4fa81af0bd904bc1b88339a62a4e2f46dd7575771f68e42dd77389cf96907f6af1dbbe1bf2e4e5a1e7d4cbeb4dc7cf5af23b9bde187759c405f1127ea5c
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" fe9462599a08f62eb6d8035dd453fad7.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
DarkVNC Payload 3 IoCs
resource yara_rule behavioral2/files/0x000800000001ab43-116.dat darkvnc behavioral2/files/0x000800000001ab43-117.dat darkvnc behavioral2/memory/1156-120-0x00000240D8F40000-0x00000240D900A000-memory.dmp darkvnc -
Executes dropped EXE 1 IoCs
pid Process 612 fe9462599a08f62eb6d8035dd453fad7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 612 set thread context of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69 -
Drops file in Program Files directory 53 IoCs
description ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE fe9462599a08f62eb6d8035dd453fad7.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe fe9462599a08f62eb6d8035dd453fad7.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com fe9462599a08f62eb6d8035dd453fad7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" fe9462599a08f62eb6d8035dd453fad7.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 612 fe9462599a08f62eb6d8035dd453fad7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3160 wrote to memory of 612 3160 fe9462599a08f62eb6d8035dd453fad7.exe 68 PID 3160 wrote to memory of 612 3160 fe9462599a08f62eb6d8035dd453fad7.exe 68 PID 3160 wrote to memory of 612 3160 fe9462599a08f62eb6d8035dd453fad7.exe 68 PID 612 wrote to memory of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69 PID 612 wrote to memory of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69 PID 612 wrote to memory of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69 PID 612 wrote to memory of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69 PID 612 wrote to memory of 1156 612 fe9462599a08f62eb6d8035dd453fad7.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe"C:\Users\Admin\AppData\Local\Temp\fe9462599a08f62eb6d8035dd453fad7.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\fe9462599a08f62eb6d8035dd453fad7.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe3⤵PID:1156
-
-