Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
Resource
win10v2004-20241007-en
General
-
Target
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
-
Size
1.1MB
-
MD5
d1b0f594c2162e517c30a3fd9a87085b
-
SHA1
249e2e865e1abb381dfbdf6a340db76fd0749591
-
SHA256
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485
-
SHA512
84554080601be34f64768d7ae52513571c4dd7bfb40d766dc30702b09804754771fccc94fd2463d63f43479727a72e70aa2c7a25eb1e4aea31022d550fd83ca3
-
SSDEEP
12288:Ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgao73rAFx83DGd7J2WLjJ:Ytb20pkaCqT5TBWgNQ7aoRTmos+E6A
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3132 3156 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01. MT JS JIANGYIN Ship Particulars.xlsx.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exepid Process 3156 01. MT JS JIANGYIN Ship Particulars.xlsx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exedescription pid Process procid_target PID 3156 wrote to memory of 1048 3156 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 86 PID 3156 wrote to memory of 1048 3156 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 86 PID 3156 wrote to memory of 1048 3156 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"2⤵PID:1048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6282⤵
- Program crash
PID:3132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3156 -ip 31561⤵PID:972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD538f32ed0ac96cb9d6a3ee68ee2b6ece8
SHA1a4ff8874c060347eb17afa37e645babd57757784
SHA25608574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3
SHA512c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4