Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
08-10-2021 13:42
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Document BLINV and Packing list.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Shipment Document BLINV and Packing list.exe
Resource
win10-en-20210920
General
-
Target
Shipment Document BLINV and Packing list.exe
-
Size
25KB
-
MD5
bd1b61722ae264d4f00a0fb412d12bc0
-
SHA1
4188fa6acae6960268d2bc0512aea9dc08ba7486
-
SHA256
58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc
-
SHA512
8feff8a854015545ac3b92d1e2d3242957ca504c6b5d89160951e64421c8c06d0643a6af3a6a436901eae43790741a642d8a71c91330bfccefcbfccb808ba6f6
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 988 592 WerFault.exe Shipment Document BLINV and Packing list.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWerFault.exepid process 1820 powershell.exe 1880 powershell.exe 2008 powershell.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 988 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeShipment Document BLINV and Packing list.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 592 Shipment Document BLINV and Packing list.exe Token: SeDebugPrivilege 988 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Shipment Document BLINV and Packing list.exeShipment Document BLINV and Packing list.exedescription pid process target process PID 1432 wrote to memory of 592 1432 Shipment Document BLINV and Packing list.exe Shipment Document BLINV and Packing list.exe PID 1432 wrote to memory of 592 1432 Shipment Document BLINV and Packing list.exe Shipment Document BLINV and Packing list.exe PID 1432 wrote to memory of 592 1432 Shipment Document BLINV and Packing list.exe Shipment Document BLINV and Packing list.exe PID 1432 wrote to memory of 592 1432 Shipment Document BLINV and Packing list.exe Shipment Document BLINV and Packing list.exe PID 592 wrote to memory of 1820 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1820 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1820 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1820 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1880 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1880 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1880 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 1880 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 2008 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 2008 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 2008 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 2008 592 Shipment Document BLINV and Packing list.exe powershell.exe PID 592 wrote to memory of 988 592 Shipment Document BLINV and Packing list.exe WerFault.exe PID 592 wrote to memory of 988 592 Shipment Document BLINV and Packing list.exe WerFault.exe PID 592 wrote to memory of 988 592 Shipment Document BLINV and Packing list.exe WerFault.exe PID 592 wrote to memory of 988 592 Shipment Document BLINV and Packing list.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BLINV and Packing list.exe" Demo2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 17723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
85c1bb3a9cd3b25e1be9a342051aad9f
SHA18c9bbbc59fa11c0f2ef8528784f53915ec92cb00
SHA2564d727f7e09dbefffd13878588650b5363963ce4642fac802fb06914acaed8133
SHA5127a60ab0947fcc1eb9201a15e06c86479c094cd67ac0bab794f4d9504f6e8e8821ee38b8a07a4ab9e36a4f71604845d152133e4c398f8c2bcc637a5df7421be1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
85c1bb3a9cd3b25e1be9a342051aad9f
SHA18c9bbbc59fa11c0f2ef8528784f53915ec92cb00
SHA2564d727f7e09dbefffd13878588650b5363963ce4642fac802fb06914acaed8133
SHA5127a60ab0947fcc1eb9201a15e06c86479c094cd67ac0bab794f4d9504f6e8e8821ee38b8a07a4ab9e36a4f71604845d152133e4c398f8c2bcc637a5df7421be1f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/592-57-0x0000000000000000-mapping.dmp
-
memory/592-77-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/988-79-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/988-78-0x0000000000000000-mapping.dmp
-
memory/1432-56-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1432-54-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/1820-64-0x00000000025F1000-0x00000000025F2000-memory.dmpFilesize
4KB
-
memory/1820-63-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/1820-65-0x00000000025F2000-0x00000000025F4000-memory.dmpFilesize
8KB
-
memory/1820-61-0x0000000000000000-mapping.dmp
-
memory/1880-66-0x0000000000000000-mapping.dmp
-
memory/1880-73-0x0000000001BB0000-0x0000000001BB1000-memory.dmpFilesize
4KB
-
memory/1880-75-0x0000000001BB1000-0x0000000001BB2000-memory.dmpFilesize
4KB
-
memory/1880-76-0x0000000001BB2000-0x0000000001BB4000-memory.dmpFilesize
8KB
-
memory/2008-70-0x0000000000000000-mapping.dmp
-
memory/2008-74-0x0000000002400000-0x000000000304A000-memory.dmpFilesize
12.3MB