Overview

overview

8

Static

static

1

Shipment A...72.exe

windows7-x64

8

Shipment A...72.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Arrival Notification of 772165397672.exe

  • Size

    705KB

  • MD5

    72db5e724a635395cdacbf78fac0475c

  • SHA1

    edcb1c8960accc40d5becce4a74b1cc2d344007a

  • SHA256

    4d6f088f7ff7e10f5b6df7628f7641b15a90298f7dedc7b46291255c1aa89c23

  • SHA512

    d773c162058833d999ac889ecd4bb6c56552687d7e1d58ba81a4eecbd4936419494e636e8095fac5bdbfc284392fccec792092886b63afa9a96d066544f564a6

  • SSDEEP

    12288:s1i8LkpEaPWJUl37gHxROu1uXT9CqAITASl99j6msd2UtHf+SpThKFc45/+qkR:TjE4I3HD1uXT9pAolP1sd/x+SpTUh/+p

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Local\Temp\Shipment Arrival Notification of 772165397672.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Arrival Notification of 772165397672.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipment Arrival Notification of 772165397672.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOcOzNsCFdZg.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOcOzNsCFdZg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1404
    • C:\Windows\SysWOW64\iexpress.exe
      "C:\Windows\SysWOW64\iexpress.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      919f3cc0c66bdd81f4ab11e2423bc573

      SHA1

      ff104d12a6d28175a82e5f61b10c060d586c5ff6

      SHA256

      d28b72d6bdbfd00ce797bbce372038f89b94e53a088c2c84b9ebf16c4725df6b

      SHA512

      8012d1617adbbe522f2d001a58f966ade69f2cb5b63fef55ae6ec97a0e5a066454da808e667e4d677d2aaca3147d1385d5f503b2fc6c5f5a31dc67da44ae5832

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iebpgqp5.l3e.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp
      Filesize

      1KB

      MD5

      48b64f06bf2821b2e8318e1fae86905f

      SHA1

      02c9051ac01452bb3eca02a83312a4654990a2f4

      SHA256

      869a2a6bfd4d018ac1b4413e0610e72acf4d82c1ab2247afe4947d404b0e518b

      SHA512

      18103e81105d2ac0e975a7dd8966273809720156852579a2fcd520ed9535d40dd6d9061de230746a42edf7f7cb8d90bb75403bef5e6b5c115e07a8c4c474b359

      Download Submit

    • memory/208-102-0x0000025A50DF0000-0x0000025A50F0D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1084-22-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1084-49-0x0000000005C80000-0x0000000005C9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1084-89-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1084-82-0x00000000072C0000-0x00000000072C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1084-81-0x00000000072E0000-0x00000000072FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1084-80-0x00000000071E0000-0x00000000071F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1084-64-0x0000000006E40000-0x0000000006EE3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1084-16-0x0000000002350000-0x0000000002386000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1084-18-0x0000000004F40000-0x0000000005568000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1084-17-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1084-19-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1084-75-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1084-74-0x00000000075E0000-0x0000000007C5A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1084-51-0x0000000006250000-0x0000000006282000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1084-62-0x0000000006230000-0x000000000624E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1084-23-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1084-25-0x00000000055E0000-0x0000000005646000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1084-39-0x0000000005670000-0x00000000059C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1084-50-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1084-24-0x0000000005570000-0x00000000055D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1084-52-0x0000000075910000-0x000000007595C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1404-26-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1404-90-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1404-93-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1404-91-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1736-2-0x0000000005360000-0x0000000005904000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1736-7-0x0000000005E10000-0x0000000005E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1736-1-0x0000000000240000-0x00000000002F2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1736-6-0x0000000006310000-0x000000000632A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1736-5-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1736-4-0x0000000004D70000-0x0000000004D7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1736-29-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1736-11-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1736-0-0x000000007508E000-0x000000007508F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1736-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1736-10-0x000000007508E000-0x000000007508F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1736-9-0x0000000008A10000-0x0000000008AAC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1736-8-0x00000000063C0000-0x000000000644A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/3020-92-0x0000000000EB0000-0x0000000000EEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3020-94-0x0000000000EB0000-0x0000000000EEF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3432-95-0x0000000007F30000-0x000000000804D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4788-85-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4788-79-0x0000000007C70000-0x0000000007C7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4788-78-0x0000000007C40000-0x0000000007C51000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4788-20-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4788-77-0x0000000007CC0000-0x0000000007D56000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4788-76-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4788-63-0x0000000075910000-0x000000007595C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4788-27-0x0000000075080000-0x0000000075830000-memory.dmp

      Filesize

      7.7MB

      Download