9d7147927eccfce82290fe3c178b3de0b516182b0ac1a6670e00e95b8a7f6055

Resubmissions

11-01-2023 22:20

230111-19j7msee78 10

11-01-2023 22:15

230111-16ccmaad7z 8

Analysis

max time kernel
1799s
max time network
1802s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BL-SHIPPING DOCUMENTS.exe
Size

446KB
MD5

16adc1ddc372a6cb7d64700d26edcb72
SHA1

f6445a0a8f3b33f171d291cb5957fdd0201e4c9f
SHA256

81c0682751e0e809dc448f1bf8607a36c95840041de00cccd00032e066c6425e
SHA512

784ba69eaed316d0dda71594b8d7139763f7ec2307d9cd09fc1742fd9798bee285f906856603aa15ca035b34a6dca655cb28db31f85f909374d234bc7aba3036
SSDEEP

6144:AYa6RBgLagUpQmFiK40z85vc/AYO7go7dvb9b5:AYx26QVK40zVsgC/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1888	umqultcyhl.exe
1504	umqultcyhl.exe
580	winh8rpxh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	umqultcyhl.exe

Loads dropped DLL 8 IoCs

pid	Process
976	BL-SHIPPING DOCUMENTS.exe
976	BL-SHIPPING DOCUMENTS.exe
1888	umqultcyhl.exe
576	NAPSTAT.EXE
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NAPSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JNKD8ROPN = "C:\\Program Files (x86)\\Fzjkpnnd\\winh8rpxh.exe"	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 1504	1888	umqultcyhl.exe	29
PID 1504 set thread context of 1280	1504	umqultcyhl.exe	8
PID 576 set thread context of 1280	576	NAPSTAT.EXE	8

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe	NAPSTAT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
936	580	WerFault.exe	35

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	umqultcyhl.exe
1504	umqultcyhl.exe
1504	umqultcyhl.exe
1504	umqultcyhl.exe
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1888	umqultcyhl.exe
1504	umqultcyhl.exe
1504	umqultcyhl.exe
1504	umqultcyhl.exe
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE
576	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	umqultcyhl.exe
Token: SeDebugPrivilege	576	NAPSTAT.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1888	976	BL-SHIPPING DOCUMENTS.exe	28
PID 976 wrote to memory of 1888	976	BL-SHIPPING DOCUMENTS.exe	28
PID 976 wrote to memory of 1888	976	BL-SHIPPING DOCUMENTS.exe	28
PID 976 wrote to memory of 1888	976	BL-SHIPPING DOCUMENTS.exe	28
PID 1888 wrote to memory of 1504	1888	umqultcyhl.exe	29
PID 1888 wrote to memory of 1504	1888	umqultcyhl.exe	29
PID 1888 wrote to memory of 1504	1888	umqultcyhl.exe	29
PID 1888 wrote to memory of 1504	1888	umqultcyhl.exe	29
PID 1888 wrote to memory of 1504	1888	umqultcyhl.exe	29
PID 1280 wrote to memory of 576	1280	Explorer.EXE	30
PID 1280 wrote to memory of 576	1280	Explorer.EXE	30
PID 1280 wrote to memory of 576	1280	Explorer.EXE	30
PID 1280 wrote to memory of 576	1280	Explorer.EXE	30
PID 576 wrote to memory of 2008	576	NAPSTAT.EXE	33
PID 576 wrote to memory of 2008	576	NAPSTAT.EXE	33
PID 576 wrote to memory of 2008	576	NAPSTAT.EXE	33
PID 576 wrote to memory of 2008	576	NAPSTAT.EXE	33
PID 576 wrote to memory of 2008	576	NAPSTAT.EXE	33
PID 1280 wrote to memory of 580	1280	Explorer.EXE	35
PID 1280 wrote to memory of 580	1280	Explorer.EXE	35
PID 1280 wrote to memory of 580	1280	Explorer.EXE	35
PID 1280 wrote to memory of 580	1280	Explorer.EXE	35
PID 580 wrote to memory of 936	580	winh8rpxh.exe	36
PID 580 wrote to memory of 936	580	winh8rpxh.exe	36
PID 580 wrote to memory of 936	580	winh8rpxh.exe	36
PID 580 wrote to memory of 936	580	winh8rpxh.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
  "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
    "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe" C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1504
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2008
- C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe
  "C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l

Filesize
5KB

MD5
4fca42202835f229e69279d2ab55537a

SHA1
98ae9454f82ac44ed4a548315d1ec723975b8a45

SHA256
9c0e9ce4822439521dd3f99afc5076d8952352089c77a27de05c312bd6679ff4

SHA512
dd64adecc32e0beb0d82a3e4a004576a06f6bc6f92b2e051c23a2fc36e3fe0af86a36ceaf3f87381ec41e022f17824a4b1f2a272647108b81eeacbf1be70ee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yblbpl.nri

Filesize
205KB

MD5
620057224da635600e31348434120a63

SHA1
d15e12a6bc878e04fc09c67ec0e782f84383d1ad

SHA256
4745b03e3108b54d3d8421a163ca64344578f7707d4f7f9fc3a9184ebd55aa0e

SHA512
43e8a13ac4d2e7206ad713b745856587812848e9d4143677f4cc485eff9af5a6dbf9bce727872418dd5762646221bf7b3e969e34d81738e9c1fa8653216243f5

Download Submit
\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Program Files (x86)\Fzjkpnnd\winh8rpxh.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
\Users\Admin\AppData\Local\Temp\umqultcyhl.exe

Filesize
84KB

MD5
cca3fc4b553eea5e2f0c2338271b7bab

SHA1
27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

SHA256
7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

SHA512
7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

Download Submit
memory/576-71-0x00000000006D0000-0x0000000000716000-memory.dmp

Filesize
280KB

Download
memory/576-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/576-73-0x0000000001DF0000-0x00000000020F3000-memory.dmp

Filesize
3.0MB

Download
memory/576-74-0x0000000001CD0000-0x0000000001D5F000-memory.dmp

Filesize
572KB

Download
memory/576-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/576-70-0x0000000000000000-mapping.dmp

Download
memory/580-80-0x0000000000000000-mapping.dmp

Download
memory/936-83-0x0000000000000000-mapping.dmp

Download
memory/976-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1280-75-0x0000000004D80000-0x0000000004E84000-memory.dmp

Filesize
1.0MB

Download
memory/1280-69-0x0000000004850000-0x0000000004914000-memory.dmp

Filesize
784KB

Download
memory/1280-78-0x0000000004D80000-0x0000000004E84000-memory.dmp

Filesize
1.0MB

Download
memory/1504-68-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1504-67-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1504-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-64-0x00000000004012E0-mapping.dmp

Download
memory/1888-57-0x0000000000000000-mapping.dmp

Download