Overview

overview

7

Static

static

1

Shipping Docs.exe

windows7-x64

3

Shipping Docs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 14:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Docs.exe

  • Size

    37KB

  • MD5

    f314dc3a42f3125ef12c61b01134476e

  • SHA1

    c6adfedee311fb7abfebdfa53b19e73b9ef39cfb

  • SHA256

    6d9a57fb6ede0c2878d297c5a4c15c3c39269d6919f7feea70fa7700fb4b2d24

  • SHA512

    2ae641c1987357f53608a3d0b7b82b6a1e577d16e63854447ca69275bcf02d6e370cc90eb16897254eb40cba694c4bb44ba6ac3417a41d21c4db2455868cce9c

  • SSDEEP

    768:HevwNCHW1TxGm+N9erXsgJZnt+AcQqt5RYVMUr24v:/NC21T4m+N9qX/vt+WqtfY4

Score
7/10

Malware Config

Signatures

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Docs.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      2⤵
        PID:4224
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        2⤵
          PID:2928
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
          2⤵
            PID:4280
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
            2⤵
              PID:1996
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
              2⤵
                PID:3880
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                2⤵
                  PID:4572
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                  2⤵
                    PID:3460
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                    2⤵
                      PID:4044
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                      2⤵
                        PID:3960
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                        2⤵
                          PID:2192
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                          2⤵
                            PID:2284
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                            2⤵
                              PID:4668
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                              2⤵
                                PID:3916
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                                2⤵
                                  PID:4484
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                                  2⤵
                                    PID:4060
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                                    2⤵
                                      PID:8
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                                      2⤵
                                        PID:3028
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                                        2⤵
                                          PID:556
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                                          2⤵
                                            PID:1612
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
                                            2⤵
                                              PID:1580
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                                              2⤵
                                                PID:2524
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                                                2⤵
                                                  PID:4384
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                    PID:5088
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                                                    2⤵
                                                      PID:2368
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                      2⤵
                                                        PID:4832
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                                                        2⤵
                                                          PID:4816
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                          2⤵
                                                            PID:4812
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                                                            2⤵
                                                              PID:1052
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
                                                              2⤵
                                                                PID:2344
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                                                                2⤵
                                                                  PID:4780
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                                                                  2⤵
                                                                    PID:4772

                                                                Network

                                                                      MITRE ATT&CK Enterprise v6

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • memory/3920-132-0x00000253F34F0000-0x00000253F34FE000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                        Download

                                                                      • memory/3920-133-0x00000253F3A80000-0x00000253F3A88000-memory.dmp

                                                                        Filesize

                                                                        32KB

                                                                        Download

                                                                      • memory/3920-134-0x00007FF8A1980000-0x00007FF8A2441000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                        Download

                                                                      • memory/3920-135-0x00007FF8A1980000-0x00007FF8A2441000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                        Download