Analysis
-
max time kernel
65s -
max time network
63s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 06:54
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENT.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENT.exe
Resource
win10v20201028
General
-
Target
SHIPPING DOCUMENT.exe
-
Size
21KB
-
MD5
7602435d3ce856276d88c70ade365e94
-
SHA1
3883c0b282e011c7954ed61e11a948511eec686f
-
SHA256
c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c
-
SHA512
2a07de2f35a8a031adcbcd97eee3acdc46f080567a6883f4e81d2cdd3d9d78ddb28e0a8b315aa56656d253378def5331fa6e4e6bf05b9ea88a8f2509c1a00b86
Malware Config
Signatures
-
Processes:
SHIPPING DOCUMENT.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths SHIPPING DOCUMENT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions SHIPPING DOCUMENT.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe = "0" SHIPPING DOCUMENT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SHIPPING DOCUMENT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dyrziWGaXf = "explorer.exe \"C:\\Windows\\Microsoft.NET\\Framework\\dPkoWthEbQGgxLWFqeyczsvYWj\\svchost.exe\"" SHIPPING DOCUMENT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
SHIPPING DOCUMENT.exepid process 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe -
Drops file in Windows directory 2 IoCs
Processes:
SHIPPING DOCUMENT.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe SHIPPING DOCUMENT.exe File opened for modification C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe SHIPPING DOCUMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1188 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeSHIPPING DOCUMENT.exepid process 1056 powershell.exe 1056 powershell.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe 1640 SHIPPING DOCUMENT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SHIPPING DOCUMENT.exepowershell.exedescription pid process Token: SeDebugPrivilege 1640 SHIPPING DOCUMENT.exe Token: SeDebugPrivilege 1056 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SHIPPING DOCUMENT.execmd.exedescription pid process target process PID 1640 wrote to memory of 1056 1640 SHIPPING DOCUMENT.exe powershell.exe PID 1640 wrote to memory of 1056 1640 SHIPPING DOCUMENT.exe powershell.exe PID 1640 wrote to memory of 1056 1640 SHIPPING DOCUMENT.exe powershell.exe PID 1640 wrote to memory of 1056 1640 SHIPPING DOCUMENT.exe powershell.exe PID 1640 wrote to memory of 620 1640 SHIPPING DOCUMENT.exe cmd.exe PID 1640 wrote to memory of 620 1640 SHIPPING DOCUMENT.exe cmd.exe PID 1640 wrote to memory of 620 1640 SHIPPING DOCUMENT.exe cmd.exe PID 1640 wrote to memory of 620 1640 SHIPPING DOCUMENT.exe cmd.exe PID 620 wrote to memory of 1188 620 cmd.exe timeout.exe PID 620 wrote to memory of 1188 620 cmd.exe timeout.exe PID 620 wrote to memory of 1188 620 cmd.exe timeout.exe PID 620 wrote to memory of 1188 620 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\dPkoWthEbQGgxLWFqeyczsvYWj\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-10-0x0000000000000000-mapping.dmp
-
memory/1056-14-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1056-11-0x00000000746F0000-0x0000000074DDE000-memory.dmpFilesize
6.9MB
-
memory/1056-17-0x0000000000C32000-0x0000000000C33000-memory.dmpFilesize
4KB
-
memory/1056-15-0x0000000002770000-0x0000000002771000-memory.dmpFilesize
4KB
-
memory/1056-8-0x0000000000000000-mapping.dmp
-
memory/1056-50-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/1056-36-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1056-27-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1056-16-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1056-35-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/1056-51-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/1056-28-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/1056-13-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1056-18-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1056-21-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/1056-26-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/1188-12-0x0000000000000000-mapping.dmp
-
memory/1640-6-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1640-2-0x00000000746F0000-0x0000000074DDE000-memory.dmpFilesize
6.9MB
-
memory/1640-5-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1640-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1640-7-0x00000000056C0000-0x000000000579A000-memory.dmpFilesize
872KB