Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 18:06
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20220715-en
General
-
Target
shipping documents.exe
-
Size
1.1MB
-
MD5
38f1024d533a747d3ada057be9175db1
-
SHA1
9ab84365d2ab9ef77bda9b75764e1e1780bdae8c
-
SHA256
0c5f0ad9fb94fbfc2dde1c830cdcdb2c96f27530d500734d0478fd9bc068a8bb
-
SHA512
d19cb83af73434fedb0efa1585a3a5bc33c478ad3986f15fcbb82c8b2ea4882d8f135f703374b57b2ac5a78fb3e9d1ebf9be2ae26aea09ea551c7d5cb19a3c6d
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
shipping documents.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions shipping documents.exe -
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/840-73-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/840-74-0x000000000041F270-mapping.dmp xloader behavioral1/memory/840-82-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1004-86-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader behavioral1/memory/1004-89-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
shipping documents.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools shipping documents.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
shipping documents.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion shipping documents.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion shipping documents.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
shipping documents.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum shipping documents.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 shipping documents.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
shipping documents.exeRegSvcs.exesystray.exedescription pid process target process PID 1824 set thread context of 840 1824 shipping documents.exe RegSvcs.exe PID 840 set thread context of 1396 840 RegSvcs.exe Explorer.EXE PID 1004 set thread context of 1396 1004 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Gmfvpl4rx\ThumbCache2d5.exe systray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exesystray.exepid process 1824 shipping documents.exe 1824 shipping documents.exe 840 RegSvcs.exe 840 RegSvcs.exe 1668 powershell.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe 1004 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exesystray.exepid process 840 RegSvcs.exe 840 RegSvcs.exe 840 RegSvcs.exe 1004 systray.exe 1004 systray.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exesystray.exedescription pid process Token: SeDebugPrivilege 1824 shipping documents.exe Token: SeDebugPrivilege 840 RegSvcs.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1004 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
shipping documents.exeExplorer.EXEsystray.exedescription pid process target process PID 1824 wrote to memory of 1668 1824 shipping documents.exe powershell.exe PID 1824 wrote to memory of 1668 1824 shipping documents.exe powershell.exe PID 1824 wrote to memory of 1668 1824 shipping documents.exe powershell.exe PID 1824 wrote to memory of 1668 1824 shipping documents.exe powershell.exe PID 1824 wrote to memory of 580 1824 shipping documents.exe schtasks.exe PID 1824 wrote to memory of 580 1824 shipping documents.exe schtasks.exe PID 1824 wrote to memory of 580 1824 shipping documents.exe schtasks.exe PID 1824 wrote to memory of 580 1824 shipping documents.exe schtasks.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1824 wrote to memory of 840 1824 shipping documents.exe RegSvcs.exe PID 1396 wrote to memory of 1004 1396 Explorer.EXE systray.exe PID 1396 wrote to memory of 1004 1396 Explorer.EXE systray.exe PID 1396 wrote to memory of 1004 1396 Explorer.EXE systray.exe PID 1396 wrote to memory of 1004 1396 Explorer.EXE systray.exe PID 1004 wrote to memory of 2004 1004 systray.exe cmd.exe PID 1004 wrote to memory of 2004 1004 systray.exe cmd.exe PID 1004 wrote to memory of 2004 1004 systray.exe cmd.exe PID 1004 wrote to memory of 2004 1004 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hpmoZai.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hpmoZai" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7E0.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE7E0.tmpFilesize
1KB
MD579aebe118957dba349fac83795be0298
SHA187dd2501f8f773b06b4cce5f9405d23e2e962839
SHA256ce2832e58e0e172f038bd84666ca23ee665242ed1d2fd3e69e9147197d1ce49a
SHA5126d4c7975829e79209f4e055948d0821d48e49139218345eea4d764770d8f81253eee8d9851c0eff1b94f759720372f0508ec84f8d9d7905df2943c5e5655f1b2
-
memory/580-66-0x0000000000000000-mapping.dmp
-
memory/840-82-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/840-78-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/840-77-0x0000000000870000-0x0000000000B73000-memory.dmpFilesize
3.0MB
-
memory/840-74-0x000000000041F270-mapping.dmp
-
memory/840-73-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/840-71-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/840-70-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1004-81-0x0000000000000000-mapping.dmp
-
memory/1004-84-0x0000000000AE0000-0x0000000000AE5000-memory.dmpFilesize
20KB
-
memory/1004-89-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/1004-87-0x0000000000980000-0x0000000000A10000-memory.dmpFilesize
576KB
-
memory/1004-86-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/1004-85-0x0000000002080000-0x0000000002383000-memory.dmpFilesize
3.0MB
-
memory/1396-79-0x0000000003DD0000-0x0000000003E99000-memory.dmpFilesize
804KB
-
memory/1396-90-0x0000000006920000-0x0000000006A80000-memory.dmpFilesize
1.4MB
-
memory/1396-88-0x0000000006920000-0x0000000006A80000-memory.dmpFilesize
1.4MB
-
memory/1668-80-0x000000006DD50000-0x000000006E2FB000-memory.dmpFilesize
5.7MB
-
memory/1668-65-0x0000000000000000-mapping.dmp
-
memory/1668-75-0x000000006DD50000-0x000000006E2FB000-memory.dmpFilesize
5.7MB
-
memory/1824-54-0x0000000000060000-0x0000000000172000-memory.dmpFilesize
1.1MB
-
memory/1824-64-0x0000000004B30000-0x0000000004BAA000-memory.dmpFilesize
488KB
-
memory/1824-56-0x0000000000AF0000-0x0000000000B04000-memory.dmpFilesize
80KB
-
memory/1824-60-0x0000000006FD0000-0x0000000006FE4000-memory.dmpFilesize
80KB
-
memory/1824-55-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/1824-61-0x0000000007090000-0x00000000070A4000-memory.dmpFilesize
80KB
-
memory/1824-69-0x0000000004EF0000-0x0000000004F22000-memory.dmpFilesize
200KB
-
memory/1824-62-0x0000000007970000-0x0000000007984000-memory.dmpFilesize
80KB
-
memory/1824-63-0x00000000042C0000-0x00000000042CE000-memory.dmpFilesize
56KB
-
memory/1824-57-0x0000000001F80000-0x0000000001F94000-memory.dmpFilesize
80KB
-
memory/1824-58-0x0000000002020000-0x0000000002034000-memory.dmpFilesize
80KB
-
memory/1824-59-0x0000000006ED0000-0x0000000006EE4000-memory.dmpFilesize
80KB
-
memory/2004-83-0x0000000000000000-mapping.dmp