Overview

overview

8

Static

static

BL-SHIPPIN...TS.exe

windows7-x64

8

BL-SHIPPIN...TS.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2023, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BL-SHIPPING DOCUMENTS.exe

  • Size

    446KB

  • MD5

    16adc1ddc372a6cb7d64700d26edcb72

  • SHA1

    f6445a0a8f3b33f171d291cb5957fdd0201e4c9f

  • SHA256

    81c0682751e0e809dc448f1bf8607a36c95840041de00cccd00032e066c6425e

  • SHA512

    784ba69eaed316d0dda71594b8d7139763f7ec2307d9cd09fc1742fd9798bee285f906856603aa15ca035b34a6dca655cb28db31f85f909374d234bc7aba3036

  • SSDEEP

    6144:AYa6RBgLagUpQmFiK40z85vc/AYO7go7dvb9b5:AYx26QVK40zVsgC/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
      "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
        "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe" C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
          "C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\kidwodkojcm.l
      Filesize

      5KB

      MD5

      4fca42202835f229e69279d2ab55537a

      SHA1

      98ae9454f82ac44ed4a548315d1ec723975b8a45

      SHA256

      9c0e9ce4822439521dd3f99afc5076d8952352089c77a27de05c312bd6679ff4

      SHA512

      dd64adecc32e0beb0d82a3e4a004576a06f6bc6f92b2e051c23a2fc36e3fe0af86a36ceaf3f87381ec41e022f17824a4b1f2a272647108b81eeacbf1be70ee2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yblbpl.nri
      Filesize

      205KB

      MD5

      620057224da635600e31348434120a63

      SHA1

      d15e12a6bc878e04fc09c67ec0e782f84383d1ad

      SHA256

      4745b03e3108b54d3d8421a163ca64344578f7707d4f7f9fc3a9184ebd55aa0e

      SHA512

      43e8a13ac4d2e7206ad713b745856587812848e9d4143677f4cc485eff9af5a6dbf9bce727872418dd5762646221bf7b3e969e34d81738e9c1fa8653216243f5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      831KB

      MD5

      f4d8be409d1bd016a7b3b2580a2b90fb

      SHA1

      a68e1f6a9b2234f2269d9cf1fbda94124c428dbe

      SHA256

      d70b27121bb33012560b14a7bd597666d76193d7dc5f89e2ac5e7507240bf708

      SHA512

      9892cd38d77898fe7916a8810c82a377bbcb4f0c3f75a8295943fa29a5cb4daec95a1600a74614f31ec723967fd95721174042f2e54b12e52fe85202cdf052df

      Download Submit

    • \Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\umqultcyhl.exe
      Filesize

      84KB

      MD5

      cca3fc4b553eea5e2f0c2338271b7bab

      SHA1

      27f2c2bd1ae7f5e0f0a6a4ab1755c402c966cfa9

      SHA256

      7113a26bab066eb9cbecb9313606c81d190ee07caf2e59b3f829b78fc8f8601b

      SHA512

      7ff8c84804ddaeda8ba0708e74a0ac72b3b693a61e14fa6e97e8ff42d972fc9b08ff7e988d86172702541dbd06b92d14c049eda3f2c29b8d698a5b8b585f9b8c

      Download Submit

    • memory/848-54-0x0000000075601000-0x0000000075603000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1064-74-0x0000000000B90000-0x0000000000E93000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1064-72-0x0000000000F20000-0x0000000000F3C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1064-77-0x0000000000080000-0x00000000000AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1064-75-0x0000000000940000-0x00000000009CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1064-73-0x0000000000080000-0x00000000000AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1208-69-0x0000000004B20000-0x0000000004C13000-memory.dmp

      Filesize

      972KB

      Download

    • memory/1208-76-0x0000000004F90000-0x0000000005099000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1208-78-0x0000000004F90000-0x0000000005099000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1960-66-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1960-68-0x0000000000260000-0x0000000000270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1960-67-0x00000000008D0000-0x0000000000BD3000-memory.dmp

      Filesize

      3.0MB

      Download