Analysis
-
max time kernel
142s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Receipt.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Shipment Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win10v2004-20240226-en
General
-
Target
Shipment Receipt.exe
-
Size
526KB
-
MD5
63431a90363414f88d575f70f27762ce
-
SHA1
fd0268e6b54a60f2c04a577b1f0001a4176138c8
-
SHA256
865306d0b13516f7f33fbd707d0d92c8706e4bfb1a99153c1361559f710bd45e
-
SHA512
b51c3f6041c40a3a662d98cc2dc925629a86f927d08a71e76309c10694d45cec0ba498f4bb34fb6f48759618ec6edd9c365dcc2b091e15729d75f5b051667901
-
SSDEEP
12288:oS2dnErpbwb05qldvfvcf7Ac4kj3WdmrJheUuuUjvQ9B:L2dE1b405qldncMc4kjWSJUuUjvy
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\chaptaliseringer\habsburgernes.rei Shipment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4948 2556 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4440 wrote to memory of 2556 4440 Shipment Receipt.exe 92 PID 4440 wrote to memory of 2556 4440 Shipment Receipt.exe 92 PID 4440 wrote to memory of 2556 4440 Shipment Receipt.exe 92 PID 2556 wrote to memory of 5056 2556 powershell.exe 96 PID 2556 wrote to memory of 5056 2556 powershell.exe 96 PID 2556 wrote to memory of 5056 2556 powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Amningsmrkerne=Get-Content 'C:\Users\Admin\AppData\Local\mafficks\Regretable\Prferencetolden\Alluder152\Brinie29.Ban';$Hieromachy=$Amningsmrkerne.SubString(58610,3);.$Hieromachy($Amningsmrkerne)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 29083⤵
- Program crash
PID:4948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2556 -ip 25561⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
57KB
MD5606f3c0d77738574d051cf2f7140aafd
SHA1becf7fe1fe0af569c52c94abadc970cca66ec0a6
SHA2565bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861
SHA5128bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8