Analysis
-
max time kernel
130s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240226-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
10-06-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents PONBOM01577/Shipping Documents PONBOM01577.xlsx.exe
Resource
win7-20240221-ja
Behavioral task
behavioral2
Sample
Shipping Documents PONBOM01577/Shipping Documents PONBOM01577.xlsx.exe
Resource
win10v2004-20240226-ja
General
-
Target
Shipping Documents PONBOM01577/Shipping Documents PONBOM01577.xlsx.exe
-
Size
390KB
-
MD5
9ad1097ef6d23a86d4b9327e54fdc9bc
-
SHA1
517d09c1d755f08f3c5bf073d87185a801b68907
-
SHA256
df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
-
SHA512
1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955
-
SSDEEP
6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Documents PONBOM01577.xlsx.exedescription pid Process procid_target PID 3900 set thread context of 548 3900 Shipping Documents PONBOM01577.xlsx.exe 91 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3164 548 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Shipping Documents PONBOM01577.xlsx.exedescription pid Process procid_target PID 3900 wrote to memory of 548 3900 Shipping Documents PONBOM01577.xlsx.exe 91 PID 3900 wrote to memory of 548 3900 Shipping Documents PONBOM01577.xlsx.exe 91 PID 3900 wrote to memory of 548 3900 Shipping Documents PONBOM01577.xlsx.exe 91 PID 3900 wrote to memory of 548 3900 Shipping Documents PONBOM01577.xlsx.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents PONBOM01577\Shipping Documents PONBOM01577.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents PONBOM01577\Shipping Documents PONBOM01577.xlsx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\Shipping Documents PONBOM01577\Shipping Documents PONBOM01577.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents PONBOM01577\Shipping Documents PONBOM01577.xlsx.exe"2⤵PID:548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 803⤵
- Program crash
PID:3164
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 5481⤵PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=ja --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5300 --field-trial-handle=2004,i,11353352523309642653,12819563506260093491,262144 --variations-seed-version /prefetch:81⤵PID:1140