Overview

overview

10

Static

static

10

Monkey Isl...nd.exe

windows7-x64

10

Monkey Isl...nd.exe

windows10-2004-x64

10

Monkey Isl...ed.exe

windows7-x64

10

Monkey Isl...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Monkey Island Crypter/Merged.exe

  • Size

    455KB

  • MD5

    9b94fed379a1df2b83fdbef292a5c2ef

  • SHA1

    6b6e18e90afaa434b7d8a5dbc27a187b71324180

  • SHA256

    f6adf8932350281f08f2357eb2ed14d2e2ace877b33f8e1d521c9ab04f227643

  • SHA512

    c5b4c1ab96ebebe32c9dd43a6832176b70ec0e3ee0c7cf6f78c55989e6be2648f21fa6b0af6db96e52b54c4fa7c1d86c65afc8c465e262496e5d7b731d349cdc

  • SSDEEP

    12288:mU9sjjUzqAApXhTRhGgJpcmWnour2ub2IxyuK79+:pzKX9R8gJpcmqoDumuKI

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe
        "C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Users\Admin\AppData\Local\Temp\file2.exe
          "C:\Users\Admin\AppData\Local\Temp\file2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1316
        • C:\Users\Admin\AppData\Local\Temp\file1.exe
          "C:\Users\Admin\AppData\Local\Temp\file1.exe"
          3⤵
          • Modifies system executable filetype association
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe
            "C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:740

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe
      Filesize

      372KB

      MD5

      4f9d091e86e2a9718cad1719e04ea5fc

      SHA1

      d244d117ff9b908762988b6004119b06a06ac8f8

      SHA256

      828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf

      SHA512

      0340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\file1.exe
      Filesize

      412KB

      MD5

      292c796c2e2bbf7275de25c5cf3a5eec

      SHA1

      9ecaac42bc9bf107137e049f2cd430f4621fb067

      SHA256

      c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e

      SHA512

      7f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\file1.exe
      Filesize

      412KB

      MD5

      292c796c2e2bbf7275de25c5cf3a5eec

      SHA1

      9ecaac42bc9bf107137e049f2cd430f4621fb067

      SHA256

      c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e

      SHA512

      7f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\file2.exe
      Filesize

      39KB

      MD5

      18be43c31cfe75d34280cb0e6261bb5f

      SHA1

      c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41

      SHA256

      c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2

      SHA512

      a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\file2.exe
      Filesize

      39KB

      MD5

      18be43c31cfe75d34280cb0e6261bb5f

      SHA1

      c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41

      SHA256

      c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2

      SHA512

      a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\file1.exe
      Filesize

      372KB

      MD5

      4f9d091e86e2a9718cad1719e04ea5fc

      SHA1

      d244d117ff9b908762988b6004119b06a06ac8f8

      SHA256

      828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf

      SHA512

      0340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\file1.exe
      Filesize

      372KB

      MD5

      4f9d091e86e2a9718cad1719e04ea5fc

      SHA1

      d244d117ff9b908762988b6004119b06a06ac8f8

      SHA256

      828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf

      SHA512

      0340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297

      Download Submit
    • \Users\Admin\AppData\Local\Temp\file1.exe
      Filesize

      412KB

      MD5

      292c796c2e2bbf7275de25c5cf3a5eec

      SHA1

      9ecaac42bc9bf107137e049f2cd430f4621fb067

      SHA256

      c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e

      SHA512

      7f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\file1.exe
      Filesize

      412KB

      MD5

      292c796c2e2bbf7275de25c5cf3a5eec

      SHA1

      9ecaac42bc9bf107137e049f2cd430f4621fb067

      SHA256

      c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e

      SHA512

      7f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\file2.exe
      Filesize

      39KB

      MD5

      18be43c31cfe75d34280cb0e6261bb5f

      SHA1

      c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41

      SHA256

      c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2

      SHA512

      a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0

      Download Submit
    • \Users\Admin\AppData\Local\Temp\file2.exe
      Filesize

      39KB

      MD5

      18be43c31cfe75d34280cb0e6261bb5f

      SHA1

      c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41

      SHA256

      c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2

      SHA512

      a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0

      Download Submit
    • memory/740-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1196-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1204-76-0x000000007EFC0000-0x000000007EFC6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1316-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1316-74-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1316-75-0x0000000010000000-0x0000000010012000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1768-65-0x0000000000400000-0x0000000000403000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp
      Filesize

      8KB

      Download