Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 00:09
Static task
static1
Behavioral task
behavioral1
Sample
DUE SOA.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DUE SOA.exe
Resource
win10-en-20211014
General
-
Target
DUE SOA.exe
-
Size
614KB
-
MD5
e6839a4ad6eb043bd41052740c27e1f9
-
SHA1
a03ab63f5c070980be362d3b98bdd55f2574c228
-
SHA256
16cb5498c592fb2a32fa882aa0996591f067d77c50eedf69cda4d04ef93cab83
-
SHA512
2524dc118ccbaf7c5bdd462d460e15e7eafeab3cd5a67fdde591fccb5a8a1c6394e3cdec17e9c8fd2a1a9e1861792ce86f1f5c42a2d8f197a278b075559aa19e
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/568-56-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/568-57-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
DUE SOA.exepid process 584 DUE SOA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 316 568 WerFault.exe DUE SOA.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 316 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 316 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
DUE SOA.exeDUE SOA.exedescription pid process target process PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 584 wrote to memory of 568 584 DUE SOA.exe DUE SOA.exe PID 568 wrote to memory of 316 568 DUE SOA.exe WerFault.exe PID 568 wrote to memory of 316 568 DUE SOA.exe WerFault.exe PID 568 wrote to memory of 316 568 DUE SOA.exe WerFault.exe PID 568 wrote to memory of 316 568 DUE SOA.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"C:\Users\Admin\AppData\Local\Temp\DUE SOA.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyB5C9.tmp\snivhltj.dllMD5
0810741d83c6146718c3c17119879b1a
SHA1298d046f6f0ced5a60ba173847891e61018f34ae
SHA256b237eb4878a416ce0dced719586e3a571aa482b792840a2010291e045e99f68e
SHA51223a945c1934299a6753eb4f4f258a8b06c41b0a679128d9821bbed9ebe587efa0a66acdd670cb4b51b05099cf14e5b92d1e15cb2c54dd1536dadc3c824eb1ba6
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/316-68-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/568-56-0x0000000000000000-mapping.dmp
-
memory/568-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/568-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/584-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB