Overview

overview

10

Static

static

BL-SHIPPIN...TS.exe

windows7-x64

8

BL-SHIPPIN...TS.exe

windows10-2004-x64

10

Resubmissions

11-01-2023 22:20

230111-19j7msee78 10

11-01-2023 22:15

230111-16ccmaad7z 8

Analysis

  • max time kernel
    1797s
  • max time network
    1798s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BL-SHIPPING DOCUMENTS.exe

  • Size

    446KB

  • MD5

    16adc1ddc372a6cb7d64700d26edcb72

  • SHA1

    f6445a0a8f3b33f171d291cb5957fdd0201e4c9f

  • SHA256

    81c0682751e0e809dc448f1bf8607a36c95840041de00cccd00032e066c6425e

  • SHA512

    784ba69eaed316d0dda71594b8d7139763f7ec2307d9cd09fc1742fd9798bee285f906856603aa15ca035b34a6dca655cb28db31f85f909374d234bc7aba3036

  • SSDEEP

    6144:AYa6RBgLagUpQmFiK40z85vc/AYO7go7dvb9b5:AYx26QVK40zVsgC/

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
      "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
        "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe" C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
          "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4504
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4504 -s 128
            4⤵
            • Program crash
            PID:1044
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS\" -spe -an -ai#7zMap31094:122:7zEvent32337
        2⤵
        • Suspicious use of FindShellTrayWindow
        PID:3416
      • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS\umqultcyhl.exe
        "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS\umqultcyhl.exe"
        2⤵
        • Executes dropped EXE
        PID:3392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 516
          3⤵
          • Program crash
          PID:5000
      • C:\Program Files (x86)\Gevnl-xlp\lxy43pnrt.exe
        "C:\Program Files (x86)\Gevnl-xlp\lxy43pnrt.exe"
        2⤵
        • Executes dropped EXE
        PID:664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 516
          3⤵
          • Program crash
          PID:1456
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 460 -p 4504 -ip 4504
      1⤵
        PID:1152
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3392 -ip 3392
          1⤵
            PID:5108
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 664 -ip 664
            1⤵
              PID:1252

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Gevnl-xlp\lxy43pnrt.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Program Files (x86)\Gevnl-xlp\lxy43pnrt.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS\umqultcyhl.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS\umqultcyhl.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
              Filesize

              5KB

              MD5

              4fca42202835f229e69279d2ab55537a

              SHA1

              98ae9454f82ac44ed4a548315d1ec723975b8a45

              SHA256

              9c0e9ce4822439521dd3f99afc5076d8952352089c77a27de05c312bd6679ff4

              SHA512

              dd64adecc32e0beb0d82a3e4a004576a06f6bc6f92b2e051c23a2fc36e3fe0af86a36ceaf3f87381ec41e022f17824a4b1f2a272647108b81eeacbf1be70ee2c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
              Filesize

              84KB

              MD5

              cca3fc4b553eea5e2f0c2338271b7bab

              SHA1

              27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

              SHA256

              7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

              SHA512

              7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\yblbpl.nri
              Filesize

              205KB

              MD5

              620057224da635600e31348434120a63

              SHA1

              d15e12a6bc878e04fc09c67ec0e782f84383d1ad

              SHA256

              4745b03e3108b54d3d8421a163ca64344578f7707d4f7f9fc3a9184ebd55aa0e

              SHA512

              43e8a13ac4d2e7206ad713b745856587812848e9d4143677f4cc485eff9af5a6dbf9bce727872418dd5762646221bf7b3e969e34d81738e9c1fa8653216243f5

              Download Submit

            • memory/1756-147-0x00000000028C0000-0x0000000002C0A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1756-148-0x00000000024A0000-0x000000000252F000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1756-145-0x0000000000220000-0x0000000000277000-memory.dmp

              Filesize

              348KB

              Download

            • memory/1756-146-0x0000000000800000-0x000000000082D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/2376-150-0x0000000007940000-0x0000000007A42000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2376-149-0x0000000007940000-0x0000000007A42000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2376-142-0x0000000007860000-0x0000000007939000-memory.dmp

              Filesize

              868KB

              Download

            • memory/4652-144-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/4652-141-0x00000000009B0000-0x00000000009C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4652-140-0x00000000009D0000-0x0000000000D1A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4652-139-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download