Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 18:47
Static task
static1
Behavioral task
behavioral1
Sample
781932d5e3cf1b9e902ee2ea8c48f572.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
781932d5e3cf1b9e902ee2ea8c48f572.exe
Resource
win10-en-20210920
General
-
Target
781932d5e3cf1b9e902ee2ea8c48f572.exe
-
Size
234KB
-
MD5
781932d5e3cf1b9e902ee2ea8c48f572
-
SHA1
70a244d771d7cfa61b2fa3d2a0ac386ea2bf0393
-
SHA256
afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
-
SHA512
ba05f74a081a6e4fc12b4c00f388da141bdfa61074ecf379421cdcc72d6f546e6067e07877332e3456bf27a3b17d5549ade76b04cbf2de2753f39fbdf31082bc
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-56-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/1748-57-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
781932d5e3cf1b9e902ee2ea8c48f572.exepid process 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1328 1748 WerFault.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1328 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1328 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
781932d5e3cf1b9e902ee2ea8c48f572.exe781932d5e3cf1b9e902ee2ea8c48f572.exedescription pid process target process PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1612 wrote to memory of 1748 1612 781932d5e3cf1b9e902ee2ea8c48f572.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe PID 1748 wrote to memory of 1328 1748 781932d5e3cf1b9e902ee2ea8c48f572.exe WerFault.exe PID 1748 wrote to memory of 1328 1748 781932d5e3cf1b9e902ee2ea8c48f572.exe WerFault.exe PID 1748 wrote to memory of 1328 1748 781932d5e3cf1b9e902ee2ea8c48f572.exe WerFault.exe PID 1748 wrote to memory of 1328 1748 781932d5e3cf1b9e902ee2ea8c48f572.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiD431.tmp\azxcktqvoyc.dllMD5
26ffa4722b447fff084a239b44f7cac9
SHA139f7ad0bf15f3dcf6e67141108476abea370f7e3
SHA25677aba174986d7969103ae452fd1193ccb9dc495a4579fa4b7f2939e367b33121
SHA512118068c79e021899abeeb9a17e548b9887af536fc9b8a9a35358ef85980d31fc5192f989a4d5d1a3826c63882888cdc10ac3c5f3918a4172bbf547643ff75532
-
memory/1328-66-0x0000000000000000-mapping.dmp
-
memory/1328-68-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/1612-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1748-56-0x0000000000000000-mapping.dmp
-
memory/1748-57-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1748-61-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB