a89cf5f25c8c7b346abd782db98b6ab1764c11514ae90e9978aff0b17e00e2e5

Resubmissions

04-07-2022 12:29

220704-ppc22sbcc3 10

04-07-2022 08:28

220704-kc3dysfffl 10

Analysis

max time kernel
255s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maerskline Shipping Documents.exe
Size

465KB
MD5

773db3dd9028413802e995fddf202f5b
SHA1

d1143329ab61dfac8b2e2e3f234b4416178ad2f0
SHA256

a4bb6e9c41c7d7f5b782355f7fb056f44fe66ad6ebd0d589b7941b8905e219d8
SHA512

abb0b3fac2e2681155e6b08da3dff405793e3294147cb140b8ad7334b921ce482767384cd0eb6a2ddddc7f0042f2413ce46b76a3c634d9b00c7be7946c84f36c

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Maerskline Shipping Documents.exe

pid	process
1948	Maerskline Shipping Documents.exe
1948	Maerskline Shipping Documents.exe
1948	Maerskline Shipping Documents.exe
1948	Maerskline Shipping Documents.exe
1948	Maerskline Shipping Documents.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Maerskline Shipping Documents.exe

description pid process

Token: SeDebugPrivilege 1948 Maerskline Shipping Documents.exe

description	pid	process
Token: SeDebugPrivilege	1948	Maerskline Shipping Documents.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Maerskline Shipping Documents.exe

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
2⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
2⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Maerskline Shipping Documents.exe"
2⤵
PID:1692

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1540

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-60-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1948-54-0x00000000003B0000-0x000000000042A000-memory.dmp

Filesize
488KB

Download
memory/1948-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1948-57-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1948-58-0x0000000004350000-0x00000000043B8000-memory.dmp

Filesize
416KB

Download
memory/1948-59-0x00000000006B0000-0x00000000006D0000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 1948 wrote to memory of 888	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 888	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 888	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 888	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1688	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1688	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1688	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1688	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1628	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1628	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1628	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1628	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1136	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1136	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1136	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1136	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1692	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1692	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1692	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe
PID 1948 wrote to memory of 1692	1948	Maerskline Shipping Documents.exe	Maerskline Shipping Documents.exe