Analysis
-
max time kernel
120s -
max time network
120s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1.exe
Resource
win10-en-20210920
General
-
Target
1.exe
-
Size
614KB
-
MD5
e6839a4ad6eb043bd41052740c27e1f9
-
SHA1
a03ab63f5c070980be362d3b98bdd55f2574c228
-
SHA256
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
-
SHA512
2524dc118ccbaf7c5bdd462d460e15e7eafeab3cd5a67fdde591fccb5a8a1c6394e3cdec17e9c8fd2a1a9e1861792ce86f1f5c42a2d8f197a278b075559aa19e
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/460-57-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/460-58-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
1.exepid process 1344 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1256 460 WerFault.exe 1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1256 WerFault.exe 1256 WerFault.exe 1256 WerFault.exe 1256 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1256 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1256 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1.exe1.exedescription pid process target process PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 1344 wrote to memory of 460 1344 1.exe 1.exe PID 460 wrote to memory of 1256 460 1.exe WerFault.exe PID 460 wrote to memory of 1256 460 1.exe WerFault.exe PID 460 wrote to memory of 1256 460 1.exe WerFault.exe PID 460 wrote to memory of 1256 460 1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy13EF.tmp\snivhltj.dllMD5
0810741d83c6146718c3c17119879b1a
SHA1298d046f6f0ced5a60ba173847891e61018f34ae
SHA256b237eb4878a416ce0dced719586e3a571aa482b792840a2010291e045e99f68e
SHA51223a945c1934299a6753eb4f4f258a8b06c41b0a679128d9821bbed9ebe587efa0a66acdd670cb4b51b05099cf14e5b92d1e15cb2c54dd1536dadc3c824eb1ba6
-
memory/460-57-0x0000000000000000-mapping.dmp
-
memory/460-58-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/460-62-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1256-67-0x0000000000000000-mapping.dmp
-
memory/1256-69-0x0000000000810000-0x0000000000870000-memory.dmpFilesize
384KB
-
memory/1344-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB