bc5f360a2a8da9462d0509aab3b46b3fda11bc6b94a3bda8e5aa7be625aa08a9

General

Target

Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
Size

667KB
MD5

d3369a2c24a7af7468ed5ae72bf66b96
SHA1

3001c674481ee2780bc52ba30621e45646759745
SHA256

bc5f360a2a8da9462d0509aab3b46b3fda11bc6b94a3bda8e5aa7be625aa08a9
SHA512

8b709a04c72c0fa507695bf086e00530e67d12f6cf90311e56494d93a1f4f8eca1c307f72dd1384256f327ce3dfc4bfcf4e4968ad77a7396006f0df92e1a7594

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1808	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	26
PID 892 wrote to memory of 1808	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	26
PID 892 wrote to memory of 1808	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	26
PID 892 wrote to memory of 1792	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	28
PID 892 wrote to memory of 1792	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	28
PID 892 wrote to memory of 1792	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	28
PID 892 wrote to memory of 1836	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	29
PID 892 wrote to memory of 1836	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	29
PID 892 wrote to memory of 1836	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	29
PID 892 wrote to memory of 1780	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	30
PID 892 wrote to memory of 1780	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	30
PID 892 wrote to memory of 1780	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	30
PID 892 wrote to memory of 1816	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	31
PID 892 wrote to memory of 1816	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	31
PID 892 wrote to memory of 1816	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	31
PID 892 wrote to memory of 1768	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	32
PID 892 wrote to memory of 1768	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	32
PID 892 wrote to memory of 1768	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
892	Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1808	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
"C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:892
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LxPToXCo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B95.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
  "{path}"
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
  "{path}"
  2⤵
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
  "{path}"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
  "{path}"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\Maersk-Update 92 on the impact of COVID-19-India Nepal and Bhutan- MSL - Update 92.exe
  "{path}"
  2⤵
  PID:1768