4e8077f0dbb336a020e8491806b49acc65f8a3e2b0c2e0481a6de1a41d8fbeee

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBLHBL SHIPPING ADVICE.exe
Size

774KB
MD5

9dbcfb571d0de80c22db7eb590eb540b
SHA1

da26a3ec36ea3121082278260995b675fa5fb07e
SHA256

4e8077f0dbb336a020e8491806b49acc65f8a3e2b0c2e0481a6de1a41d8fbeee
SHA512

8b2413a809698fe1d4acbe3b7d2ec3447c73b7f2adb733fbe98d92f5444342f334da5753373b1f602e8c3de3128baccba4f7907b18b310351a488b326d9a6000
SSDEEP

24576:GjFoOBrBlmltzyJeecsYzyXSR/uEUwtI8Gg:Ge0BlMt0RFSR/uNKI8R

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
3052	powershell.exe
2628	powershell.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe
2076	MBLHBL SHIPPING ADVICE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	MBLHBL SHIPPING ADVICE.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2628	2076	MBLHBL SHIPPING ADVICE.exe	28
PID 2076 wrote to memory of 2628	2076	MBLHBL SHIPPING ADVICE.exe	28
PID 2076 wrote to memory of 2628	2076	MBLHBL SHIPPING ADVICE.exe	28
PID 2076 wrote to memory of 2628	2076	MBLHBL SHIPPING ADVICE.exe	28
PID 2076 wrote to memory of 3052	2076	MBLHBL SHIPPING ADVICE.exe	30
PID 2076 wrote to memory of 3052	2076	MBLHBL SHIPPING ADVICE.exe	30
PID 2076 wrote to memory of 3052	2076	MBLHBL SHIPPING ADVICE.exe	30
PID 2076 wrote to memory of 3052	2076	MBLHBL SHIPPING ADVICE.exe	30
PID 2076 wrote to memory of 2532	2076	MBLHBL SHIPPING ADVICE.exe	32
PID 2076 wrote to memory of 2532	2076	MBLHBL SHIPPING ADVICE.exe	32
PID 2076 wrote to memory of 2532	2076	MBLHBL SHIPPING ADVICE.exe	32
PID 2076 wrote to memory of 2532	2076	MBLHBL SHIPPING ADVICE.exe	32
PID 2076 wrote to memory of 2620	2076	MBLHBL SHIPPING ADVICE.exe	34
PID 2076 wrote to memory of 2620	2076	MBLHBL SHIPPING ADVICE.exe	34
PID 2076 wrote to memory of 2620	2076	MBLHBL SHIPPING ADVICE.exe	34
PID 2076 wrote to memory of 2620	2076	MBLHBL SHIPPING ADVICE.exe	34
PID 2076 wrote to memory of 2580	2076	MBLHBL SHIPPING ADVICE.exe	35
PID 2076 wrote to memory of 2580	2076	MBLHBL SHIPPING ADVICE.exe	35
PID 2076 wrote to memory of 2580	2076	MBLHBL SHIPPING ADVICE.exe	35
PID 2076 wrote to memory of 2580	2076	MBLHBL SHIPPING ADVICE.exe	35
PID 2076 wrote to memory of 2432	2076	MBLHBL SHIPPING ADVICE.exe	36
PID 2076 wrote to memory of 2432	2076	MBLHBL SHIPPING ADVICE.exe	36
PID 2076 wrote to memory of 2432	2076	MBLHBL SHIPPING ADVICE.exe	36
PID 2076 wrote to memory of 2432	2076	MBLHBL SHIPPING ADVICE.exe	36
PID 2076 wrote to memory of 2428	2076	MBLHBL SHIPPING ADVICE.exe	37
PID 2076 wrote to memory of 2428	2076	MBLHBL SHIPPING ADVICE.exe	37
PID 2076 wrote to memory of 2428	2076	MBLHBL SHIPPING ADVICE.exe	37
PID 2076 wrote to memory of 2428	2076	MBLHBL SHIPPING ADVICE.exe	37
PID 2076 wrote to memory of 2576	2076	MBLHBL SHIPPING ADVICE.exe	38
PID 2076 wrote to memory of 2576	2076	MBLHBL SHIPPING ADVICE.exe	38
PID 2076 wrote to memory of 2576	2076	MBLHBL SHIPPING ADVICE.exe	38
PID 2076 wrote to memory of 2576	2076	MBLHBL SHIPPING ADVICE.exe	38

C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\drNPesqY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\drNPesqY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3ED4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\MBLHBL SHIPPING ADVICE.exe"
  2⤵
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3ED4.tmp

Filesize
1KB

MD5
f8c63c1686df0a84fef97f236f164924

SHA1
09f64d58baa24db1005f3ce7071a36aff952384d

SHA256
65f118138a9a4adb2b2806decbc5c189979d81624bdbd662211e0c412ca76cba

SHA512
33b68b734e946f169b91aa8ab058004eb0122a1da661e96c9ef5253430dcfb5c7fe53a6bd5eee5a1f060562fdbdd57cd83cf995688210195cdccad393a84d5ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DUJBYQ1UR40CJ0LB57SX.temp

Filesize
7KB

MD5
3dd45d80a14f2875e038c0954da17b77

SHA1
363c18c0c6e05c31395edff6ff108eac226f0f9f

SHA256
d54d7306fd374368fd3376e57c2f7b433983ff981ba6017bcce3925b46a21756

SHA512
ccd6058d99758e69e3b3ea2641637e137ebbf3b4f0c4bc0652115e9bcb58c5b5262978d16c5b995fcf938901b98ba40f857c5f27ca81e79bed4f574c16362260

Download Submit
memory/2076-1-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-0-0x00000000003A0000-0x0000000000468000-memory.dmp

Filesize
800KB

Download
memory/2076-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2076-3-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2076-4-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2076-5-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2076-6-0x0000000004DE0000-0x0000000004E62000-memory.dmp

Filesize
520KB

Download
memory/2076-20-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-21-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-23-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2628-26-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2628-27-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-29-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-22-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/3052-19-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-24-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-25-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/3052-28-0x000000006DFC0000-0x000000006E56B000-memory.dmp

Filesize
5.7MB

Download