c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c

General

Target

SHIPPING DOCUMENT.exe
Size

21KB
MD5

7602435d3ce856276d88c70ade365e94
SHA1

3883c0b282e011c7954ed61e11a948511eec686f
SHA256

c15fd959d72ff5dd978a6e8e15877b3f41fba6a89d9bb4890287668b17d05a3c
SHA512

2a07de2f35a8a031adcbcd97eee3acdc46f080567a6883f4e81d2cdd3d9d78ddb28e0a8b315aa56656d253378def5331fa6e4e6bf05b9ea88a8f2509c1a00b86

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

SHIPPING DOCUMENT.exe

pid	process
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe
3920	SHIPPING DOCUMENT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4016 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SHIPPING DOCUMENT.exe

pid process

3920 SHIPPING DOCUMENT.exe
3920 SHIPPING DOCUMENT.exe
3920 SHIPPING DOCUMENT.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SHIPPING DOCUMENT.exe

description pid process

Token: SeDebugPrivilege 3920 SHIPPING DOCUMENT.exe

pid	process
4016	timeout.exe

description	pid	process
Token: SeDebugPrivilege	3920	SHIPPING DOCUMENT.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SHIPPING DOCUMENT.execmd.exe

description	pid	process	target process
PID 3920 wrote to memory of 3764	3920	SHIPPING DOCUMENT.exe	cmd.exe
PID 3920 wrote to memory of 3764	3920	SHIPPING DOCUMENT.exe	cmd.exe
PID 3920 wrote to memory of 3764	3920	SHIPPING DOCUMENT.exe	cmd.exe
PID 3764 wrote to memory of 4016	3764	cmd.exe	timeout.exe
PID 3764 wrote to memory of 4016	3764	cmd.exe	timeout.exe
PID 3764 wrote to memory of 4016	3764	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3764-11-0x0000000000000000-mapping.dmp

Download
memory/3920-2-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3920-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3920-5-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3920-6-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3920-7-0x0000000005C10000-0x0000000005CEA000-memory.dmp

Filesize
872KB

Download
memory/3920-8-0x000000000A6A0000-0x000000000A6A1000-memory.dmp

Filesize
4KB

Download
memory/3920-9-0x000000000A240000-0x000000000A241000-memory.dmp

Filesize
4KB

Download
memory/3920-10-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/4016-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing