c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c

General

Target

SHIPPING DOCUMENT.exe
Size

21KB
MD5

7602435d3ce856276d88c70ade365e94
SHA1

3883c0b282e011c7954ed61e11a948511eec686f
SHA256

c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c
SHA512

2a07de2f35a8a031adcbcd97eee3acdc46f080567a6883f4e81d2cdd3d9d78ddb28e0a8b315aa56656d253378def5331fa6e4e6bf05b9ea88a8f2509c1a00b86

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

SHIPPING DOCUMENT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	SHIPPING DOCUMENT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	SHIPPING DOCUMENT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe = "0"	SHIPPING DOCUMENT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SHIPPING DOCUMENT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dyrziWGaXf = "explorer.exe \"C:\\Windows\\Microsoft.NET\\Framework\\dPkoWthEbQGgxLWFqeyczsvYWj\\svchost.exe\""	SHIPPING DOCUMENT.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

SHIPPING DOCUMENT.exe

pid	process
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe

Drops file in Windows directory 2 IoCs

Processes:

SHIPPING DOCUMENT.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe	SHIPPING DOCUMENT.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe	SHIPPING DOCUMENT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1188 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeSHIPPING DOCUMENT.exe

pid process

1056 powershell.exe
1056 powershell.exe
1640 SHIPPING DOCUMENT.exe
1640 SHIPPING DOCUMENT.exe
1640 SHIPPING DOCUMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SHIPPING DOCUMENT.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1640 SHIPPING DOCUMENT.exe
Token: SeDebugPrivilege 1056 powershell.exe

pid	process
1188	timeout.exe

pid	process
1056	powershell.exe
1056	powershell.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe
1640	SHIPPING DOCUMENT.exe

description	pid	process
Token: SeDebugPrivilege	1640	SHIPPING DOCUMENT.exe
Token: SeDebugPrivilege	1056	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SHIPPING DOCUMENT.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 1056	1640	SHIPPING DOCUMENT.exe	powershell.exe
PID 1640 wrote to memory of 1056	1640	SHIPPING DOCUMENT.exe	powershell.exe
PID 1640 wrote to memory of 1056	1640	SHIPPING DOCUMENT.exe	powershell.exe
PID 1640 wrote to memory of 1056	1640	SHIPPING DOCUMENT.exe	powershell.exe
PID 1640 wrote to memory of 620	1640	SHIPPING DOCUMENT.exe	cmd.exe
PID 1640 wrote to memory of 620	1640	SHIPPING DOCUMENT.exe	cmd.exe
PID 1640 wrote to memory of 620	1640	SHIPPING DOCUMENT.exe	cmd.exe
PID 1640 wrote to memory of 620	1640	SHIPPING DOCUMENT.exe	cmd.exe
PID 620 wrote to memory of 1188	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 1188	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 1188	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 1188	620	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"
1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-10-0x0000000000000000-mapping.dmp

Download
memory/1056-14-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1056-11-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1056-17-0x0000000000C32000-0x0000000000C33000-memory.dmp

Filesize
4KB

Download
memory/1056-15-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1056-8-0x0000000000000000-mapping.dmp

Download
memory/1056-50-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1056-36-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1056-27-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1056-16-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1056-35-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1056-51-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1056-28-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/1056-13-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1056-18-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1056-21-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1056-26-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1188-12-0x0000000000000000-mapping.dmp

Download
memory/1640-6-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1640-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-5-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1640-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1640-7-0x00000000056C0000-0x000000000579A000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads