1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028

General

Target

ShippingDocs.exe
Size

55KB
MD5

a3e458f7e2e1f940b0c62042afe607d3
SHA1

6fb0a031365530ebb273f47f034181a530e31b70
SHA256

1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
SHA512

9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

972 powershell.exe
684 powershell.exe
1296 powershell.exe

pid	process
972	powershell.exe
684	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeShippingDocs.exe

description	pid	process
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1776	ShippingDocs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ShippingDocs.exe

description	pid	process	target process
PID 1776 wrote to memory of 972	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 972	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 972	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 972	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 684	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 684	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 684	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 684	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 1296	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 1296	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 1296	1776	ShippingDocs.exe	powershell.exe
PID 1776 wrote to memory of 1296	1776	ShippingDocs.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe
"C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
b93aa52bc4ca9f273e364cc0bdeb6a34

SHA1
5643be7ea7babc96b6f58bd76d0589506fe44ab7

SHA256
4da7bc30657adb93765449d1c5a10a7883d06ba28bfeb9614d8f04aa1fd3303e

SHA512
296c7f891d00c4924438eef53259e4e3259f1b7d038278d30de03b25854b9f0e732498c780267e8128733c49cd7adaecaa6b5a93ee46dda6062a64f56e7dab35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
b93aa52bc4ca9f273e364cc0bdeb6a34

SHA1
5643be7ea7babc96b6f58bd76d0589506fe44ab7

SHA256
4da7bc30657adb93765449d1c5a10a7883d06ba28bfeb9614d8f04aa1fd3303e

SHA512
296c7f891d00c4924438eef53259e4e3259f1b7d038278d30de03b25854b9f0e732498c780267e8128733c49cd7adaecaa6b5a93ee46dda6062a64f56e7dab35

Download Submit
memory/684-61-0x0000000000000000-mapping.dmp

Download
memory/684-68-0x0000000002670000-0x00000000032BA000-memory.dmp

Filesize
12.3MB

Download
memory/684-69-0x0000000002670000-0x00000000032BA000-memory.dmp

Filesize
12.3MB

Download
memory/684-67-0x0000000002670000-0x00000000032BA000-memory.dmp

Filesize
12.3MB

Download
memory/972-59-0x0000000002311000-0x0000000002312000-memory.dmp

Filesize
4KB

Download
memory/972-60-0x0000000002312000-0x0000000002314000-memory.dmp

Filesize
8KB

Download
memory/972-58-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/972-56-0x0000000000000000-mapping.dmp

Download
memory/1296-64-0x0000000000000000-mapping.dmp

Download
memory/1296-71-0x00000000022C1000-0x00000000022C2000-memory.dmp

Filesize
4KB

Download
memory/1296-70-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1296-72-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/1776-53-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1776-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1776-73-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing