Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 01:47
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Document BL,INV and Packing list Attached.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Shipment Document BL,INV and Packing list Attached.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Shipment Document BL,INV and Packing list Attached.exe
-
Size
334KB
-
MD5
e961d77e00c45f04a0d35f0568556432
-
SHA1
4137b1a66c92dd0db5d1458d0fb8d3a048147663
-
SHA256
172be7bb49ca26c5c67465ac2581d08f6301ffccf25fd319e3bc408db5c8a4d3
-
SHA512
5d4b79b889ad2d24d7231e5d81d39aa02e2738ead1093386b60ac7a0cde50afe76ba6e57b187c2193fab7591ae8a9597ec33f5bdc61c41f6edc67a6d2617c6ad
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Shipment Document BL,INV and Packing list Attached.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1492 wrote to memory of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 1228 wrote to memory of 1044 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 1044 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 1044 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 1044 1228 Explorer.EXE chkdsk.exe PID 1044 wrote to memory of 1032 1044 chkdsk.exe cmd.exe PID 1044 wrote to memory of 1032 1044 chkdsk.exe cmd.exe PID 1044 wrote to memory of 1032 1044 chkdsk.exe cmd.exe PID 1044 wrote to memory of 1032 1044 chkdsk.exe cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Shipment Document BL,INV and Packing list Attached.exeShipment Document BL,INV and Packing list Attached.exechkdsk.exedescription pid process target process PID 1492 set thread context of 388 1492 Shipment Document BL,INV and Packing list Attached.exe Shipment Document BL,INV and Packing list Attached.exe PID 388 set thread context of 1228 388 Shipment Document BL,INV and Packing list Attached.exe Explorer.EXE PID 388 set thread context of 1228 388 Shipment Document BL,INV and Packing list Attached.exe Explorer.EXE PID 1044 set thread context of 1228 1044 chkdsk.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Shipment Document BL,INV and Packing list Attached.exechkdsk.exepid process 388 Shipment Document BL,INV and Packing list Attached.exe 388 Shipment Document BL,INV and Packing list Attached.exe 388 Shipment Document BL,INV and Packing list Attached.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe 1044 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipment Document BL,INV and Packing list Attached.exechkdsk.exedescription pid process Token: SeDebugPrivilege 388 Shipment Document BL,INV and Packing list Attached.exe Token: SeDebugPrivilege 1044 chkdsk.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Shipment Document BL,INV and Packing list Attached.exechkdsk.exepid process 388 Shipment Document BL,INV and Packing list Attached.exe 388 Shipment Document BL,INV and Packing list Attached.exe 388 Shipment Document BL,INV and Packing list Attached.exe 388 Shipment Document BL,INV and Packing list Attached.exe 1044 chkdsk.exe 1044 chkdsk.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/388-1-0x000000000041E2B0-mapping.dmp
-
memory/1032-4-0x0000000000000000-mapping.dmp
-
memory/1044-2-0x0000000000000000-mapping.dmp
-
memory/1044-3-0x0000000000F20000-0x0000000000F27000-memory.dmpFilesize
28KB
-
memory/1044-5-0x0000000000DD0000-0x0000000000ED7000-memory.dmpFilesize
1.0MB