Analysis

  • max time kernel
    54s
  • max time network
    66s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 15:49

General

  • Target

    SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

  • Size

    700KB

  • MD5

    4c33a8d7ea67f81000eee8b1c9475f9c

  • SHA1

    a96a1a2cd37af1a04fafc9104b59661924c2c2a0

  • SHA256

    3fa53f6f68e280013eb9651a53a3c40a16fa99f7689d0761b3f95b2de68b22cf

  • SHA512

    d93206e78dbfc4e1ca1633172c7aeb93ba6270822e7f8880220599731d9db4299ea85e1d14d59929ebe6e9b812d09f8db180df4fa4f2bbc93fc4d8a0aad87cf0

Malware Config

Signatures

  • Detect Neshta Payload ⋅ 3 IoCs
  • Modifies system executable filetype association ⋅ 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Drops file in Program Files directory ⋅ 55 IoCs
  • Drops file in Windows directory ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
      "{path}"
      PID:3120
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
      "{path}"
      PID:3364
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
      "{path}"
      Modifies system executable filetype association
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      PID:2128

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation

                Replay Monitor

                00:00 00:00

                Downloads

                • memory/2128-125-0x0000000000400000-0x000000000041B000-memory.dmp
                • memory/2128-127-0x0000000000400000-0x000000000041B000-memory.dmp
                • memory/2128-126-0x00000000004080E4-mapping.dmp
                • memory/3424-121-0x00000000024C0000-0x00000000024C2000-memory.dmp
                • memory/3424-119-0x00000000024D0000-0x00000000024D1000-memory.dmp
                • memory/3424-120-0x0000000004B60000-0x0000000004B61000-memory.dmp
                • memory/3424-114-0x0000000000090000-0x0000000000091000-memory.dmp
                • memory/3424-122-0x000000000A190000-0x000000000A191000-memory.dmp
                • memory/3424-123-0x000000000ABF0000-0x000000000AC74000-memory.dmp
                • memory/3424-124-0x0000000004CA0000-0x0000000004CDD000-memory.dmp
                • memory/3424-118-0x0000000009EF0000-0x0000000009EF1000-memory.dmp
                • memory/3424-117-0x000000000A3F0000-0x000000000A3F1000-memory.dmp
                • memory/3424-116-0x0000000004960000-0x00000000049C2000-memory.dmp