172be7bb49ca26c5c67465ac2581d08f6301ffccf25fd319e3bc408db5c8a4d3

General

Target

Shipment Document BL,INV and Packing list Attached.exe
Size

334KB
MD5

e961d77e00c45f04a0d35f0568556432
SHA1

4137b1a66c92dd0db5d1458d0fb8d3a048147663
SHA256

172be7bb49ca26c5c67465ac2581d08f6301ffccf25fd319e3bc408db5c8a4d3
SHA512

5d4b79b889ad2d24d7231e5d81d39aa02e2738ead1093386b60ac7a0cde50afe76ba6e57b187c2193fab7591ae8a9597ec33f5bdc61c41f6edc67a6d2617c6ad

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Shipment Document BL,INV and Packing list Attached.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1492 wrote to memory of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 1228 wrote to memory of 1044	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1044	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1044	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1044	1228	Explorer.EXE	chkdsk.exe
PID 1044 wrote to memory of 1032	1044	chkdsk.exe	cmd.exe
PID 1044 wrote to memory of 1032	1044	chkdsk.exe	cmd.exe
PID 1044 wrote to memory of 1032	1044	chkdsk.exe	cmd.exe
PID 1044 wrote to memory of 1032	1044	chkdsk.exe	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Shipment Document BL,INV and Packing list Attached.exeShipment Document BL,INV and Packing list Attached.exechkdsk.exe

description	pid	process	target process
PID 1492 set thread context of 388	1492	Shipment Document BL,INV and Packing list Attached.exe	Shipment Document BL,INV and Packing list Attached.exe
PID 388 set thread context of 1228	388	Shipment Document BL,INV and Packing list Attached.exe	Explorer.EXE
PID 388 set thread context of 1228	388	Shipment Document BL,INV and Packing list Attached.exe	Explorer.EXE
PID 1044 set thread context of 1228	1044	chkdsk.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Shipment Document BL,INV and Packing list Attached.exechkdsk.exe

pid	process
388	Shipment Document BL,INV and Packing list Attached.exe
388	Shipment Document BL,INV and Packing list Attached.exe
388	Shipment Document BL,INV and Packing list Attached.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe
1044	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipment Document BL,INV and Packing list Attached.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 388 Shipment Document BL,INV and Packing list Attached.exe
Token: SeDebugPrivilege 1044 chkdsk.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1032 cmd.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	388	Shipment Document BL,INV and Packing list Attached.exe
Token: SeDebugPrivilege	1044	chkdsk.exe

pid	process
1032	cmd.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Shipment Document BL,INV and Packing list Attached.exechkdsk.exe

pid	process
388	Shipment Document BL,INV and Packing list Attached.exe
388	Shipment Document BL,INV and Packing list Attached.exe
388	Shipment Document BL,INV and Packing list Attached.exe
388	Shipment Document BL,INV and Packing list Attached.exe
1044	chkdsk.exe
1044	chkdsk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:1228

C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1492

C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:388

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Enumerates system info in registry
PID:1044

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing list Attached.exe"
3⤵
- Deletes itself
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/388-1-0x000000000041E2B0-mapping.dmp

Download
memory/1032-4-0x0000000000000000-mapping.dmp

Download
memory/1044-2-0x0000000000000000-mapping.dmp

Download
memory/1044-3-0x0000000000F20000-0x0000000000F27000-memory.dmp

Filesize
28KB

Download
memory/1044-5-0x0000000000DD0000-0x0000000000ED7000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads