Overview

overview

10

Static

static

Shipment D...st.exe

windows7_x64

3

Shipment D...st.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    08-10-2021 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BLINV and Packing list.exe

  • Size

    25KB

  • MD5

    bd1b61722ae264d4f00a0fb412d12bc0

  • SHA1

    4188fa6acae6960268d2bc0512aea9dc08ba7486

  • SHA256

    58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc

  • SHA512

    8feff8a854015545ac3b92d1e2d3242957ca504c6b5d89160951e64421c8c06d0643a6af3a6a436901eae43790741a642d8a71c91330bfccefcbfccb808ba6f6

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe" Demo
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1880
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 1772
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    85c1bb3a9cd3b25e1be9a342051aad9f

    SHA1

    8c9bbbc59fa11c0f2ef8528784f53915ec92cb00

    SHA256

    4d727f7e09dbefffd13878588650b5363963ce4642fac802fb06914acaed8133

    SHA512

    7a60ab0947fcc1eb9201a15e06c86479c094cd67ac0bab794f4d9504f6e8e8821ee38b8a07a4ab9e36a4f71604845d152133e4c398f8c2bcc637a5df7421be1f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    85c1bb3a9cd3b25e1be9a342051aad9f

    SHA1

    8c9bbbc59fa11c0f2ef8528784f53915ec92cb00

    SHA256

    4d727f7e09dbefffd13878588650b5363963ce4642fac802fb06914acaed8133

    SHA512

    7a60ab0947fcc1eb9201a15e06c86479c094cd67ac0bab794f4d9504f6e8e8821ee38b8a07a4ab9e36a4f71604845d152133e4c398f8c2bcc637a5df7421be1f

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/592-57-0x0000000000000000-mapping.dmp
    Download
  • memory/592-77-0x00000000007F0000-0x00000000007F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/988-79-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/988-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1432-56-0x00000000768C1000-0x00000000768C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1432-54-0x00000000008B0000-0x00000000008B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-64-0x00000000025F1000-0x00000000025F2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-63-0x00000000025F0000-0x00000000025F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-65-0x00000000025F2000-0x00000000025F4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1820-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1880-73-0x0000000001BB0000-0x0000000001BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-75-0x0000000001BB1000-0x0000000001BB2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-76-0x0000000001BB2000-0x0000000001BB4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2008-70-0x0000000000000000-mapping.dmp
    Download
  • memory/2008-74-0x0000000002400000-0x000000000304A000-memory.dmp
    Filesize

    12.3MB

    Download