Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
11-11-2021 03:14
Static task
static1
Behavioral task
behavioral1
Sample
New Inquiry.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
New Inquiry.exe
Resource
win10-en-20211014
General
-
Target
New Inquiry.exe
-
Size
247KB
-
MD5
905db5df8d7a31ccd2c15fd5b90d3cd2
-
SHA1
06ec98964ce0e4d64cfcf68b579fa28be7207a15
-
SHA256
997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
-
SHA512
de02d56b22651e80442d06d4ad2d10a209e261cb048139f6d8c1822783cdee3f365186bfae4901549da51a9269af1daa9929ea7eb114a2bb09406975d5277142
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-57-0x0000000000000000-mapping.dmp family_neshta behavioral1/memory/1052-58-0x00000000001C0000-0x00000000001DB000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
New Inquiry.exepid process 600 New Inquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1904 1052 WerFault.exe New Inquiry.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1904 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1904 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
New Inquiry.exeNew Inquiry.exedescription pid process target process PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 600 wrote to memory of 1052 600 New Inquiry.exe New Inquiry.exe PID 1052 wrote to memory of 1904 1052 New Inquiry.exe WerFault.exe PID 1052 wrote to memory of 1904 1052 New Inquiry.exe WerFault.exe PID 1052 wrote to memory of 1904 1052 New Inquiry.exe WerFault.exe PID 1052 wrote to memory of 1904 1052 New Inquiry.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyE023.tmp\xpgjtt.dllMD5
cf4d50071a2c2fdfe2cbd07d42b4aaea
SHA1214f85e9f8b1922333bd866d23bb97dbd8e12487
SHA25644d8dedf859f5e3a174ae3f617cc4cc8fbfbc40f88d4a71f16c64c6b14e6b7a4
SHA512a17f4c72c390c14044baddb53723d2fc3383ec7a2b5a89f66870f5dbb42863e0d259fec77013e8f5bd00739721e11fd8f38322e9f8a395d59dd9405927205d98
-
memory/600-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1052-57-0x0000000000000000-mapping.dmp
-
memory/1052-58-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1052-62-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1904-67-0x0000000000000000-mapping.dmp
-
memory/1904-69-0x0000000000260000-0x00000000002C0000-memory.dmpFilesize
384KB