9d7147927eccfce82290fe3c178b3de0b516182b0ac1a6670e00e95b8a7f6055

Resubmissions

11/01/2023, 22:20

230111-19j7msee78 10

11/01/2023, 22:15

230111-16ccmaad7z 8

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BL-SHIPPING DOCUMENTS.exe
Size

446KB
MD5

16adc1ddc372a6cb7d64700d26edcb72
SHA1

f6445a0a8f3b33f171d291cb5957fdd0201e4c9f
SHA256

81c0682751e0e809dc448f1bf8607a36c95840041de00cccd00032e066c6425e
SHA512

784ba69eaed316d0dda71594b8d7139763f7ec2307d9cd09fc1742fd9798bee285f906856603aa15ca035b34a6dca655cb28db31f85f909374d234bc7aba3036
SSDEEP

6144:AYa6RBgLagUpQmFiK40z85vc/AYO7go7dvb9b5:AYx26QVK40zVsgC/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5060	umqultcyhl.exe
4996	umqultcyhl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	umqultcyhl.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 4996	5060	umqultcyhl.exe	79
PID 4996 set thread context of 1996	4996	umqultcyhl.exe	26
PID 1544 set thread context of 1996	1544	WWAHost.exe	26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
5060	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
4996	umqultcyhl.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe
1544	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	umqultcyhl.exe
Token: SeDebugPrivilege	1544	WWAHost.exe
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE
Token: SeShutdownPrivilege	1996	Explorer.EXE
Token: SeCreatePagefilePrivilege	1996	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 5060	488	BL-SHIPPING DOCUMENTS.exe	78
PID 488 wrote to memory of 5060	488	BL-SHIPPING DOCUMENTS.exe	78
PID 488 wrote to memory of 5060	488	BL-SHIPPING DOCUMENTS.exe	78
PID 5060 wrote to memory of 4996	5060	umqultcyhl.exe	79
PID 5060 wrote to memory of 4996	5060	umqultcyhl.exe	79
PID 5060 wrote to memory of 4996	5060	umqultcyhl.exe	79
PID 5060 wrote to memory of 4996	5060	umqultcyhl.exe	79
PID 1996 wrote to memory of 1544	1996	Explorer.EXE	80
PID 1996 wrote to memory of 1544	1996	Explorer.EXE	80
PID 1996 wrote to memory of 1544	1996	Explorer.EXE	80
PID 1544 wrote to memory of 1484	1544	WWAHost.exe	88
PID 1544 wrote to memory of 1484	1544	WWAHost.exe	88
PID 1544 wrote to memory of 1484	1544	WWAHost.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
  "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
    "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe" C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l

Filesize
5KB

MD5
4fca42202835f229e69279d2ab55537a

SHA1
98ae9454f82ac44ed4a548315d1ec723975b8a45

SHA256
9c0e9ce4822439521dd3f99afc5076d8952352089c77a27de05c312bd6679ff4

SHA512
dd64adecc32e0beb0d82a3e4a004576a06f6bc6f92b2e051c23a2fc36e3fe0af86a36ceaf3f87381ec41e022f17824a4b1f2a272647108b81eeacbf1be70ee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yblbpl.nri

Filesize
205KB

MD5
620057224da635600e31348434120a63

SHA1
d15e12a6bc878e04fc09c67ec0e782f84383d1ad

SHA256
4745b03e3108b54d3d8421a163ca64344578f7707d4f7f9fc3a9184ebd55aa0e

SHA512
43e8a13ac4d2e7206ad713b745856587812848e9d4143677f4cc485eff9af5a6dbf9bce727872418dd5762646221bf7b3e969e34d81738e9c1fa8653216243f5

Download Submit
memory/1544-144-0x00000000000D0000-0x00000000001AC000-memory.dmp

Filesize
880KB

Download
memory/1544-145-0x0000000000FB0000-0x0000000000FDD000-memory.dmp

Filesize
180KB

Download
memory/1544-146-0x0000000001FC0000-0x000000000230A000-memory.dmp

Filesize
3.3MB

Download
memory/1544-147-0x0000000001CE0000-0x0000000001D6F000-memory.dmp

Filesize
572KB

Download
memory/1996-142-0x0000000007FA0000-0x00000000080A1000-memory.dmp

Filesize
1.0MB

Download
memory/1996-148-0x00000000087E0000-0x00000000088AA000-memory.dmp

Filesize
808KB

Download
memory/1996-149-0x00000000087E0000-0x00000000088AA000-memory.dmp

Filesize
808KB

Download
memory/4996-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-140-0x0000000000A80000-0x0000000000DCA000-memory.dmp

Filesize
3.3MB

Download
memory/4996-141-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download