Analysis
-
max time kernel
121s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-10-2021 09:17
Static task
static1
Behavioral task
behavioral1
Sample
ORDER OCT 28,2021.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ORDER OCT 28,2021.exe
Resource
win10-en-20211014
General
-
Target
ORDER OCT 28,2021.exe
-
Size
502KB
-
MD5
947b72694e25a2fefcfadd3aeec7c0a1
-
SHA1
e1263f029a1d7a673218be6ba58f8f5c53b911fb
-
SHA256
6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
-
SHA512
e4b2084a5259495bbcdebebaad6ca8d8e554374ce21b65ba52a4fec6d1ed5e626c36ef06447331b09fdb8a4651406aab91332068138d7e30c3b947221b7dcaab
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/560-56-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/560-57-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta behavioral1/memory/1228-68-0x0000000000330000-0x0000000000366000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
ORDER OCT 28,2021.exepid process 608 ORDER OCT 28,2021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1228 560 WerFault.exe ORDER OCT 28,2021.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1228 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1228 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ORDER OCT 28,2021.exeORDER OCT 28,2021.exedescription pid process target process PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 608 wrote to memory of 560 608 ORDER OCT 28,2021.exe ORDER OCT 28,2021.exe PID 560 wrote to memory of 1228 560 ORDER OCT 28,2021.exe WerFault.exe PID 560 wrote to memory of 1228 560 ORDER OCT 28,2021.exe WerFault.exe PID 560 wrote to memory of 1228 560 ORDER OCT 28,2021.exe WerFault.exe PID 560 wrote to memory of 1228 560 ORDER OCT 28,2021.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy22DD.tmp\brkwwr.dllMD5
526d857a1bdb294a6be8ea0c40005bfa
SHA123f31727a792a7deb57d84c730ee6a21ab84ca55
SHA2562fe94d81ec07813f84c6b5a310fa0c58175bc5a4f73b464d6e93c321474038de
SHA512b3a0b21377d00edcc0b599998399a8ea4fa6a936680621e7e9b167d6373dc72069b1d3a174019cec024237797d7e8be4429365465ae34077b055e61759031ccd
-
memory/560-56-0x0000000000000000-mapping.dmp
-
memory/560-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/560-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/608-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1228-66-0x0000000000000000-mapping.dmp
-
memory/1228-68-0x0000000000330000-0x0000000000366000-memory.dmpFilesize
216KB