d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97

General

Target

AWD SHANGHAI SHIPMENT SCHEDULE.exe
Size

760KB
MD5

8bf9536b65dec39bbf0b8733e4ad2ac4
SHA1

d7a8458e48bc1abddddaabf8e3ac6d35ef4e2c7a
SHA256

d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97
SHA512

00fd52c6d21871f584fe67a8042f65479b06d4505ab84fc344f4cebefaae4928fff8c57ef0842d87750971a21b0174c4065b09d231b077b3278bc5290d2e0cb8

Score

9^/10

Malware Config

Signatures

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/900-121-0x00000000052B0000-0x00000000052BB000-memory.dmp	CustAttr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2172 schtasks.exe

pid	process
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exepowershell.exepowershell.exepowershell.exe

pid	process
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
3560	powershell.exe
2152	powershell.exe
3548	powershell.exe
3548	powershell.exe
3560	powershell.exe
2152	powershell.exe
3560	powershell.exe
2152	powershell.exe
3548	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exe

description	pid	process	target process
PID 900 wrote to memory of 3548	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 3548	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 3548	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 2152	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 2152	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 2152	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 2172	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 900 wrote to memory of 2172	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 900 wrote to memory of 2172	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 900 wrote to memory of 3560	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 3560	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 3560	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 900 wrote to memory of 3900	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3900	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3900	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3700	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3700	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3700	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3924	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3924	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3924	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3712	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3712	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3712	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3224	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3224	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 900 wrote to memory of 3224	900	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CLBTGpuxewYAR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CLBTGpuxewYAR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp"
2⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CLBTGpuxewYAR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
PID:3224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c1048040379319a76305a0be1bd2a7ec

SHA1
20ebd0eea83c27e5e60eabf93e153d9a18b95294

SHA256
2174bc694f0ec4476844be0813acf8d1dcede4c583866c7529ab44f91010add2

SHA512
83a2dc35dce0fc6b51fe8291b4b7be3bc9d37189cef4171eed0604597772521d8cade6273d2a31d43480759cab3573e423b1197b32ad855da3e89ca3ba3423bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
25990c1a9ce7b77cb56eb7f8d56c7c65

SHA1
cb0275b42c56dc03bcca7fa59cb2a766db3fda4f

SHA256
af64a444807136c13f855678e57c92b0087a8b1c77f8843b0887a0d4449136be

SHA512
bdcce529e8c285e1c3f46ddfe27a0d093f41ed313645c827758b89877ac138c8e9eaf2677b8046401dbb91bd3f7e02b55ad240bc806283e780f6190f44d33779

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp
MD5
a90c5f80307716dfd6c6a8112cec8719

SHA1
741f4a5edef49c7fc6305c6f3b48bfc9c6feb393

SHA256
5600d166e9f8c687a4782d01805562e5205d47a9cd0562d79830e7958fe67063

SHA512
db12e487871e5f6b90a5d8ab5664bceefc32e6a98007b81c6c20e2d4077baf37fc1a22c5b6b31d652ee4d6e8ab4cd1b5427fae27f07e2f91a6cfe4bc1b6966cf

Download Submit
memory/900-120-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/900-117-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/900-121-0x00000000052B0000-0x00000000052BB000-memory.dmp

Filesize
44KB

Download
memory/900-122-0x0000000007A30000-0x0000000007AB2000-memory.dmp

Filesize
520KB

Download
memory/900-123-0x0000000007B10000-0x0000000007B4D000-memory.dmp

Filesize
244KB

Download
memory/900-119-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/900-116-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/900-118-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2152-263-0x0000000006773000-0x0000000006774000-memory.dmp

Filesize
4KB

Download
memory/2152-125-0x0000000000000000-mapping.dmp

Download
memory/2152-228-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/2152-226-0x000000007EA90000-0x000000007EA91000-memory.dmp

Filesize
4KB

Download
memory/2152-156-0x0000000006772000-0x0000000006773000-memory.dmp

Filesize
4KB

Download
memory/2152-154-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/2172-128-0x0000000000000000-mapping.dmp

Download
memory/3548-152-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3548-227-0x000000007E750000-0x000000007E751000-memory.dmp

Filesize
4KB

Download
memory/3548-124-0x0000000000000000-mapping.dmp

Download
memory/3548-151-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/3548-130-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/3548-129-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3548-159-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/3548-133-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/3548-256-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

Filesize
4KB

Download
memory/3548-190-0x00000000094F0000-0x0000000009523000-memory.dmp

Filesize
204KB

Download
memory/3548-211-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/3560-225-0x000000007EE00000-0x000000007EE01000-memory.dmp

Filesize
4KB

Download
memory/3560-142-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/3560-148-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3560-137-0x0000000000000000-mapping.dmp

Download
memory/3560-165-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/3560-260-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download
memory/3560-162-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3560-158-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/3560-157-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3560-145-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads