Overview

overview

10

Static

static

10

fb3e6bcac1...80.exe

windows7-x64

10

fb3e6bcac1...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe

  • Size

    692KB

  • MD5

    38fe8a92a7e43b48e6d9c9ae13e2e9c0

  • SHA1

    4d216a2a888f543ba196fa1aea22f4bc30e3189a

  • SHA256

    fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480

  • SHA512

    6b2031a308da1ee6e422bc39ba8ccf53562b29d757979beb9a41d0e39e0b35a27b0cc5fc97b994822c5574c4adb46f42249d540b6b159fb0ee309410408a718c

  • SSDEEP

    12288:/1IrmedBigNA8BmUE5h4ytt0FPSQ1WjHo9zFaOw3D6S:8maB3FmUEj4ytt0FPB1SomB

Score
10/10
neshtaramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe
    "C:\Users\Admin\AppData\Local\Temp\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480mgr.exe
        C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1856
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{400D9EB1-6997-11ED-8553-72598884447E}.dat
    Filesize

    3KB

    MD5

    4a6bfe69c139678068f65c851ddad4ae

    SHA1

    05ca46c9ca661c1472456d36970356adfca0e625

    SHA256

    58204d8ec7224af52a73836d4a652b7d565ef2b1eb643c52a31ab084286e7eb7

    SHA512

    271fe7f07220e2695f132a0f7c81889e86131d71907fcdfdabd59ca051778f4f23a16300af6e01c389475c0dfc1ff0f0e6fc9a22935476c1b577d4a7e099495d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{400DC5C1-6997-11ED-8553-72598884447E}.dat
    Filesize

    3KB

    MD5

    5f7e30c3c9f0d04997c8caf3604914ec

    SHA1

    af8687d32b652f862ade40e65ff4f0cdf03cadd9

    SHA256

    b3c84c8590e86eb8d0a0536aa9bf448033b8d69dd5d2b79447afa640e42e2ea0

    SHA512

    a05d09403371ec22d55b6976e4d764cdfef7e52ddda26571b60ea43afd404eb54621896ff73c13e9854d832a287116c830b8b2dfcd8aed28c4455129126d2f89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe
    Filesize

    652KB

    MD5

    97e25a6bd9697b04272696cb0ad46ec7

    SHA1

    4373d0d42c078f3297ca15975fac688ed110222f

    SHA256

    068c6871c56565ca8962b7f8e1377d137a517a16ea15642b69bac2dbe3d4c758

    SHA512

    55e67f23d40d0597eb49617d73fe8c5ad18e848eec452bd2147919d03d97f3a3e71e699c2da75df4c0cd580630a2bcb2d8f017007c327757d744bcb3d652fc4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480mgr.exe
    Filesize

    104KB

    MD5

    84b7783804fa7506672a409e9899c6be

    SHA1

    2da8a6e9c04662564e18cdf98f73e224a5662533

    SHA256

    b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef

    SHA512

    8a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KWA2UL2U.txt
    Filesize

    601B

    MD5

    f54c757b3b8b9d6551e6d83ae29b0eb9

    SHA1

    d977803f0bf6c8393dd718b4b5bcaaf0ad904267

    SHA256

    7358f435372860aa1bfedfb5b9376c92e73a785aa6239e39ab359eba0773cc9a

    SHA512

    6777236a52206e41ab7abce77a5335c60515711ab7ad9cee54ce930b05bf110f362a02e5f6a7b49846b0d903f6f654052f152c55fe643d59a7275f01f6ab53e3

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe
    Filesize

    652KB

    MD5

    97e25a6bd9697b04272696cb0ad46ec7

    SHA1

    4373d0d42c078f3297ca15975fac688ed110222f

    SHA256

    068c6871c56565ca8962b7f8e1377d137a517a16ea15642b69bac2dbe3d4c758

    SHA512

    55e67f23d40d0597eb49617d73fe8c5ad18e848eec452bd2147919d03d97f3a3e71e699c2da75df4c0cd580630a2bcb2d8f017007c327757d744bcb3d652fc4f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480.exe
    Filesize

    652KB

    MD5

    97e25a6bd9697b04272696cb0ad46ec7

    SHA1

    4373d0d42c078f3297ca15975fac688ed110222f

    SHA256

    068c6871c56565ca8962b7f8e1377d137a517a16ea15642b69bac2dbe3d4c758

    SHA512

    55e67f23d40d0597eb49617d73fe8c5ad18e848eec452bd2147919d03d97f3a3e71e699c2da75df4c0cd580630a2bcb2d8f017007c327757d744bcb3d652fc4f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480mgr.exe
    Filesize

    104KB

    MD5

    84b7783804fa7506672a409e9899c6be

    SHA1

    2da8a6e9c04662564e18cdf98f73e224a5662533

    SHA256

    b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef

    SHA512

    8a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\fb3e6bcac169c1bf9b56002ddcace1e19f6c3c38828552e71a1d83bfa7cc7480mgr.exe
    Filesize

    104KB

    MD5

    84b7783804fa7506672a409e9899c6be

    SHA1

    2da8a6e9c04662564e18cdf98f73e224a5662533

    SHA256

    b26a93c17ac6a412c6c191aa6a1543537f3185fe813c24153c6dec736fbad4ef

    SHA512

    8a867296b05f45dd79ab64b11b6cc0cc8fad835b2f5ba9b8469981cc9b3e15c91f98b688cbe7addfab7ea2bd55a1d475fc853c004afb24be1b5691f8183c897c

    Download Submit

  • memory/1212-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1212-74-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1212-75-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1212-69-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1292-65-0x0000000002730000-0x00000000027D7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/1292-54-0x0000000075881000-0x0000000075883000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1292-64-0x0000000002730000-0x00000000027D7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2024-70-0x0000000000400000-0x00000000004A7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2024-68-0x0000000000250000-0x00000000002A6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2024-67-0x0000000000250000-0x00000000002A6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2024-66-0x0000000000400000-0x00000000004A7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2024-57-0x0000000000000000-mapping.dmp

    Download