Overview

overview

10

Static

static

b29bcccc63...dc.dll

windows7-x64

10

b29bcccc63...dc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    204s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll

  • Size

    184KB

  • MD5

    eded7b23c48aff4af017c06eefc11660

  • SHA1

    e04bf50b0202d941e02b9e826790a34334e0b593

  • SHA256

    b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc

  • SHA512

    7a4a6ce0c3d5c39bc4a8a42c3f402a659d4cd43e9923f579d1d51d1e994d9cb4a51258fdd12d5b9c7e237edde872ec76bcf7792443b3c40d3cd9b23fbc84d985

  • SSDEEP

    3072:idSdGlrc/9vNWkFOvJygOOMPCy5oFfIAvsTe7g1C+f8SWnYX:idSQJc/jWko2L/vOyC+f8SNX

Score
10/10
neshtaramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b29bcccc633fcf1054ddc99b88b4be5c0263c2b2a61eaec9ee5e676612ae4bdc.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:640
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:844
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ec390bbc0d3acf7a37c4bfa342de20dc

    SHA1

    29ff57a0d281d50edb0516f56de90b3ad954c51c

    SHA256

    4de3bc6a02ecdb31dbd566764557d1479ba91e63441b2dc5c9e367ac35c67e44

    SHA512

    0e03c1f95bf574bb8e80dc77d426c749911f7585993a4557c303bd957954287243306c1a1f6bf35e85cd5d5fa348c2fda474e681ed2942865e75ba227f8ded77

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C39CF9D1-7403-11ED-BA2E-6662AD81E03A}.dat
    Filesize

    4KB

    MD5

    4fd852f6cdd2a36acc598d0a73b29c82

    SHA1

    d828e22806d747a0c3168598bbe21b4d7aa97d93

    SHA256

    4594cc90338c9245cc1817094f9346ecacfb5b0e53af2b208afef927449ebae3

    SHA512

    a3726a315b7f01793f0ee2009c812258e065e9cbcded671957b114e214a77364c9784587af9e97da6a377e86fb86feaa349db476b4ea68fdd5394900e8196b02

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C39D20E1-7403-11ED-BA2E-6662AD81E03A}.dat
    Filesize

    5KB

    MD5

    4688e0af95cb1dc0f01edd7b15706af7

    SHA1

    b91d62ed20e9332c368bcec033056b5d26aef18f

    SHA256

    5e958b93e372b76c76b82707376ef7538bcb87fe77cbe75cd316ccb4a8f0dac1

    SHA512

    4acf3f119968ccc6e5076f7142218c73361c447f16f4c69e4b2cdd84862eb8799e63f90ab4c91257e2a7e94bd97cf3efd73cab2fa973499c7345855b9ac11cad

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W96EB594.txt
    Filesize

    539B

    MD5

    1c65838f61025f6fa15a2a8f708405bf

    SHA1

    8d06e206319c2f4124dc5a5f220bf5310fe90b37

    SHA256

    38db9495227e602203a4f150dd11b9cb678b6c841e36a4991a3f090ccc2596b3

    SHA512

    1362e683f10bc64e41a5ab7d287e48c8a83d587b002e60164eeb4a1bbd12729c5ee461c3504a6e4f090f05587c42ba62f9c10db57b67a83f170d9519ab880c02

    Download Submit
  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    146KB

    MD5

    43be420578bb466a71cdd20d9e331349

    SHA1

    ca7b41da373754dc1b9ebc376a8aa849591e73fb

    SHA256

    e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39

    SHA512

    ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    146KB

    MD5

    43be420578bb466a71cdd20d9e331349

    SHA1

    ca7b41da373754dc1b9ebc376a8aa849591e73fb

    SHA256

    e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39

    SHA512

    ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    146KB

    MD5

    43be420578bb466a71cdd20d9e331349

    SHA1

    ca7b41da373754dc1b9ebc376a8aa849591e73fb

    SHA256

    e70ae77d9b689a4365d3f9ed2f4375e1d2c7e86233533d2944e6da3cce4c9f39

    SHA512

    ee23da2f98b16654f8ddeaabe06f1065685106947f1340dbcb420764bfd5e59be50308ca5f0edd89325f329970fd45025cc16edcef746a463c9ae039edb55d5e

    Download Submit
  • memory/1032-60-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1032-63-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1032-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1324-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1324-55-0x0000000075C31000-0x0000000075C33000-memory.dmp
    Filesize

    8KB

    Download