Analysis
-
max time kernel
57s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 06:54
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENT.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENT.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SHIPPING DOCUMENT.exe
-
Size
21KB
-
MD5
7602435d3ce856276d88c70ade365e94
-
SHA1
3883c0b282e011c7954ed61e11a948511eec686f
-
SHA256
c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c
-
SHA512
2a07de2f35a8a031adcbcd97eee3acdc46f080567a6883f4e81d2cdd3d9d78ddb28e0a8b315aa56656d253378def5331fa6e4e6bf05b9ea88a8f2509c1a00b86
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
SHIPPING DOCUMENT.exepid process 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4016 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SHIPPING DOCUMENT.exepid process 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe 3920 SHIPPING DOCUMENT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SHIPPING DOCUMENT.exedescription pid process Token: SeDebugPrivilege 3920 SHIPPING DOCUMENT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SHIPPING DOCUMENT.execmd.exedescription pid process target process PID 3920 wrote to memory of 3764 3920 SHIPPING DOCUMENT.exe cmd.exe PID 3920 wrote to memory of 3764 3920 SHIPPING DOCUMENT.exe cmd.exe PID 3920 wrote to memory of 3764 3920 SHIPPING DOCUMENT.exe cmd.exe PID 3764 wrote to memory of 4016 3764 cmd.exe timeout.exe PID 3764 wrote to memory of 4016 3764 cmd.exe timeout.exe PID 3764 wrote to memory of 4016 3764 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3764-11-0x0000000000000000-mapping.dmp
-
memory/3920-2-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/3920-3-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3920-5-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/3920-6-0x0000000008100000-0x0000000008101000-memory.dmpFilesize
4KB
-
memory/3920-7-0x0000000005C10000-0x0000000005CEA000-memory.dmpFilesize
872KB
-
memory/3920-8-0x000000000A6A0000-0x000000000A6A1000-memory.dmpFilesize
4KB
-
memory/3920-9-0x000000000A240000-0x000000000A241000-memory.dmpFilesize
4KB
-
memory/3920-10-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/4016-12-0x0000000000000000-mapping.dmp