Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 18:12
Behavioral task
behavioral1
Sample
Monkey Island Crypter/Island.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Monkey Island Crypter/Island.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Monkey Island Crypter/Merged.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Monkey Island Crypter/Merged.exe
Resource
win10v2004-20221111-en
General
-
Target
Monkey Island Crypter/Merged.exe
-
Size
455KB
-
MD5
9b94fed379a1df2b83fdbef292a5c2ef
-
SHA1
6b6e18e90afaa434b7d8a5dbc27a187b71324180
-
SHA256
f6adf8932350281f08f2357eb2ed14d2e2ace877b33f8e1d521c9ab04f227643
-
SHA512
c5b4c1ab96ebebe32c9dd43a6832176b70ec0e3ee0c7cf6f78c55989e6be2648f21fa6b0af6db96e52b54c4fa7c1d86c65afc8c465e262496e5d7b731d349cdc
-
SSDEEP
12288:mU9sjjUzqAApXhTRhGgJpcmWnour2ub2IxyuK79+:pzKX9R8gJpcmqoDumuKI
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\file1.exe family_neshta \Users\Admin\AppData\Local\Temp\file1.exe family_neshta C:\Users\Admin\AppData\Local\Temp\file1.exe family_neshta C:\Users\Admin\AppData\Local\Temp\file1.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" file1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
file2.exefile1.exefile1.exepid process 1316 file2.exe 1196 file1.exe 740 file1.exe -
Loads dropped DLL 7 IoCs
Processes:
Merged.exefile1.exepid process 1768 Merged.exe 1768 Merged.exe 1768 Merged.exe 1768 Merged.exe 1196 file1.exe 1196 file1.exe 1196 file1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
file1.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE file1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE file1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe file1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE file1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE file1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe file1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE file1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe file1.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE file1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE file1.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE file1.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe file1.exe -
Drops file in Windows directory 1 IoCs
Processes:
file1.exedescription ioc process File opened for modification C:\Windows\svchost.com file1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" file1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
file2.exepid process 1316 file2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
file1.exepid process 740 file1.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Merged.exefile2.exefile1.exedescription pid process target process PID 1768 wrote to memory of 1316 1768 Merged.exe file2.exe PID 1768 wrote to memory of 1316 1768 Merged.exe file2.exe PID 1768 wrote to memory of 1316 1768 Merged.exe file2.exe PID 1768 wrote to memory of 1316 1768 Merged.exe file2.exe PID 1768 wrote to memory of 1196 1768 Merged.exe file1.exe PID 1768 wrote to memory of 1196 1768 Merged.exe file1.exe PID 1768 wrote to memory of 1196 1768 Merged.exe file1.exe PID 1768 wrote to memory of 1196 1768 Merged.exe file1.exe PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE PID 1196 wrote to memory of 740 1196 file1.exe file1.exe PID 1196 wrote to memory of 740 1196 file1.exe file1.exe PID 1196 wrote to memory of 740 1196 file1.exe file1.exe PID 1196 wrote to memory of 740 1196 file1.exe file1.exe PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE PID 1316 wrote to memory of 1204 1316 file2.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe"C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file2.exe"C:\Users\Admin\AppData\Local\Temp\file2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exeFilesize
372KB
MD54f9d091e86e2a9718cad1719e04ea5fc
SHA1d244d117ff9b908762988b6004119b06a06ac8f8
SHA256828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf
SHA5120340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297
-
C:\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
C:\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
C:\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
C:\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\file1.exeFilesize
372KB
MD54f9d091e86e2a9718cad1719e04ea5fc
SHA1d244d117ff9b908762988b6004119b06a06ac8f8
SHA256828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf
SHA5120340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297
-
\Users\Admin\AppData\Local\Temp\3582-490\file1.exeFilesize
372KB
MD54f9d091e86e2a9718cad1719e04ea5fc
SHA1d244d117ff9b908762988b6004119b06a06ac8f8
SHA256828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf
SHA5120340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297
-
\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
memory/740-70-0x0000000000000000-mapping.dmp
-
memory/1196-62-0x0000000000000000-mapping.dmp
-
memory/1204-76-0x000000007EFC0000-0x000000007EFC6000-memory.dmpFilesize
24KB
-
memory/1316-57-0x0000000000000000-mapping.dmp
-
memory/1316-74-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1316-75-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB
-
memory/1768-65-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB