df4eed6b429eba0c7fe96cce25b317efe39b46a443574f1d0aa9445da22f0ac2

General

Target

shipping docs.exe
Size

1.1MB
MD5

ea957fec2bfc2448b11f998cbb72beec
SHA1

16b48d262908d6493348c716664c7ed3d2e6579f
SHA256

df4eed6b429eba0c7fe96cce25b317efe39b46a443574f1d0aa9445da22f0ac2
SHA512

785c87a0a94d991e504357092f5433512b3aeb2f4faf68950c02b0d8e5328ea747b66b0976c2b78f9ea214691f91e7ac7da33460a7274c82a2c73cdac452f33d
SSDEEP

24576:1ziwgh/awZ2DzNZHOM35/A5h95pRcH++:1ziTh/d4f35/A/dE

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1788 schtasks.exe

pid	process
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

shipping docs.exepowershell.exepowershell.exe

pid	process
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
560	shipping docs.exe
1632	powershell.exe
1280	powershell.exe
560	shipping docs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shipping docs.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 560 shipping docs.exe
Token: SeDebugPrivilege 1280 powershell.exe
Token: SeDebugPrivilege 1632 powershell.exe

description	pid	process
Token: SeDebugPrivilege	560	shipping docs.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

shipping docs.exe

description	pid	process	target process
PID 560 wrote to memory of 1280	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1280	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1280	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1280	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1632	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1632	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1632	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1632	560	shipping docs.exe	powershell.exe
PID 560 wrote to memory of 1788	560	shipping docs.exe	schtasks.exe
PID 560 wrote to memory of 1788	560	shipping docs.exe	schtasks.exe
PID 560 wrote to memory of 1788	560	shipping docs.exe	schtasks.exe
PID 560 wrote to memory of 1788	560	shipping docs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\shipping docs.exe
"C:\Users\Admin\AppData\Local\Temp\shipping docs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping docs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NbJyVSEVODXHn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJyVSEVODXHn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27CD.tmp"
2⤵
- Creates scheduled task(s)
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp27CD.tmp

Filesize
1KB

MD5
ce6d3ba651950441a24f3c389e9bf741

SHA1
8743bd51a9d678ec17bb0334898e8b5645c5d6af

SHA256
fc1c74f2cc91002a5c2435599bdcfde085c97905523c0b09a7341ab0bda41356

SHA512
f0ae42d462d82b405f3b29aac9b75fcd97af5c474377e80d49f5ff86b55c5282fa2ec1d148065fc67e25bcfe0fcda748ac053a9c6229bd107ed611cce9589dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9b421767c40364c66d3ebc8647a411bf

SHA1
eff385387596f08f1d7aec2a2bb6fd5284668c08

SHA256
87de56eca0943e3babfed005583f96c23c7f26b1281de759174938656485f699

SHA512
32427a6ce7a7f8689cecafb4f6a7d216dd6a050bfa2ede1625419ba7bc9e792b29354f0c5672b0858a0c00fd557f745f9b4737cbb9fa314e5e14a9dc3e2c8efd

Download Submit
memory/560-57-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/560-54-0x00000000010E0000-0x00000000011FE000-memory.dmp

Filesize
1.1MB

Download
memory/560-58-0x0000000007FA0000-0x000000000804E000-memory.dmp

Filesize
696KB

Download
memory/560-56-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/560-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1280-59-0x0000000000000000-mapping.dmp

Download
memory/1280-67-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-69-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1632-66-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-68-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads