353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7

General

Target

Dhl shipment documents.exe
Size

816KB
MD5

c36de042c317262fbeb25e0901e2441e
SHA1

c4f38f77ef79cd4b44e1f6344f492281946fd707
SHA256

353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7
SHA512

b73e515912165b9a7838e4bde1ed590c7f65221243f56cc5bc9e735fc625c44b87758b04e6a1a1505ff44b42b10012c8855b04c6f3483180cf19a35e25f9b1ee

Score

5^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1860	1768	Dhl shipment documents.exe	24
PID 1768 wrote to memory of 1860	1768	Dhl shipment documents.exe	24
PID 1768 wrote to memory of 1860	1768	Dhl shipment documents.exe	24
PID 1768 wrote to memory of 1860	1768	Dhl shipment documents.exe	24
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1768 wrote to memory of 1904	1768	Dhl shipment documents.exe	26
PID 1904 wrote to memory of 1948	1904	Dhl shipment documents.exe	27
PID 1904 wrote to memory of 1948	1904	Dhl shipment documents.exe	27
PID 1904 wrote to memory of 1948	1904	Dhl shipment documents.exe	27
PID 1904 wrote to memory of 1948	1904	Dhl shipment documents.exe	27

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1904	1768	Dhl shipment documents.exe	26

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1860	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe
"C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1768
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qFmllAChfUoYL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp950D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 376
    3⤵
    PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-2-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1904-4-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1904-5-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1948-7-0x0000000002060000-0x0000000002071000-memory.dmp

Filesize
68KB

Download
memory/1948-10-0x00000000023A0000-0x00000000023B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads