Analysis
-
max time kernel
186s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 18:12
Behavioral task
behavioral1
Sample
Monkey Island Crypter/Island.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Monkey Island Crypter/Island.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Monkey Island Crypter/Merged.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Monkey Island Crypter/Merged.exe
Resource
win10v2004-20221111-en
General
-
Target
Monkey Island Crypter/Merged.exe
-
Size
455KB
-
MD5
9b94fed379a1df2b83fdbef292a5c2ef
-
SHA1
6b6e18e90afaa434b7d8a5dbc27a187b71324180
-
SHA256
f6adf8932350281f08f2357eb2ed14d2e2ace877b33f8e1d521c9ab04f227643
-
SHA512
c5b4c1ab96ebebe32c9dd43a6832176b70ec0e3ee0c7cf6f78c55989e6be2648f21fa6b0af6db96e52b54c4fa7c1d86c65afc8c465e262496e5d7b731d349cdc
-
SSDEEP
12288:mU9sjjUzqAApXhTRhGgJpcmWnour2ub2IxyuK79+:pzKX9R8gJpcmqoDumuKI
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file1.exe family_neshta C:\Users\Admin\AppData\Local\Temp\file1.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" file1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
file2.exefile1.exefile1.exepid process 4140 file2.exe 1136 file1.exe 4732 file1.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Merged.exefile1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Merged.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation file1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
file1.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE file1.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI9C33~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe file1.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE file1.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE file1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~4.EXE file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE file1.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe file1.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE file1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~1.EXE file1.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE file1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE file1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI391D~1.EXE file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13169~1.31\MICROS~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe file1.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe file1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MIA062~1.EXE file1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe file1.exe -
Drops file in Windows directory 1 IoCs
Processes:
file1.exedescription ioc process File opened for modification C:\Windows\svchost.com file1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" file1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file2.exepid process 4140 file2.exe 4140 file2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
file1.exepid process 4732 file1.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Merged.exefile2.exefile1.exedescription pid process target process PID 3380 wrote to memory of 4140 3380 Merged.exe file2.exe PID 3380 wrote to memory of 4140 3380 Merged.exe file2.exe PID 3380 wrote to memory of 4140 3380 Merged.exe file2.exe PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE PID 3380 wrote to memory of 1136 3380 Merged.exe file1.exe PID 3380 wrote to memory of 1136 3380 Merged.exe file1.exe PID 3380 wrote to memory of 1136 3380 Merged.exe file1.exe PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE PID 1136 wrote to memory of 4732 1136 file1.exe file1.exe PID 1136 wrote to memory of 4732 1136 file1.exe file1.exe PID 1136 wrote to memory of 4732 1136 file1.exe file1.exe PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE PID 4140 wrote to memory of 2532 4140 file2.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe"C:\Users\Admin\AppData\Local\Temp\Monkey Island Crypter\Merged.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\file2.exe"C:\Users\Admin\AppData\Local\Temp\file2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4732
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exeFilesize
372KB
MD54f9d091e86e2a9718cad1719e04ea5fc
SHA1d244d117ff9b908762988b6004119b06a06ac8f8
SHA256828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf
SHA5120340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file1.exeFilesize
372KB
MD54f9d091e86e2a9718cad1719e04ea5fc
SHA1d244d117ff9b908762988b6004119b06a06ac8f8
SHA256828bbea0c8ba168c2e9fee36b42cde378f64537574430124924d2388507435bf
SHA5120340391ced1c25e84540aead0bf50ca8e21da514b080bb2a50aa74fb36c542200fab0871277735952f6a5fd2058c746e95a6ca51672d7196459a257814275297
-
C:\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
C:\Users\Admin\AppData\Local\Temp\file1.exeFilesize
412KB
MD5292c796c2e2bbf7275de25c5cf3a5eec
SHA19ecaac42bc9bf107137e049f2cd430f4621fb067
SHA256c7b8c5c8d08cc8b89ba7c038e473272595250b19b961683d8255dc322908498e
SHA5127f0f5f08bfb6dcce66e56a49e791ec2d5795538636ac84bf05d319263aedd064ed8b28715e9dff909b8f76ffe378872212440cbfec19df92bb90ff1a4944668e
-
C:\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
C:\Users\Admin\AppData\Local\Temp\file2.exeFilesize
39KB
MD518be43c31cfe75d34280cb0e6261bb5f
SHA1c3eef4ae4b87143774a0e8f7c40d6f4c1c570d41
SHA256c4376229d61d6f01ef5ff9da823828c20e76a1d93e1faf4bc4a85d6c56291ad2
SHA512a97905de9083e0c710334c43c65bf8210e6ac7da00bebe30014fb45b2ba5395a75f237f7721ff26d9d9fcb6fa756d6b748e08031ebf453e7abc039b9dff247a0
-
memory/1136-138-0x0000000000000000-mapping.dmp
-
memory/2532-142-0x000000007FFC0000-0x000000007FFC6000-memory.dmpFilesize
24KB
-
memory/3380-141-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/3380-132-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/4140-136-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4140-137-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB
-
memory/4140-133-0x0000000000000000-mapping.dmp
-
memory/4732-143-0x0000000000000000-mapping.dmp