353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7

Analysis

max time kernel
71s
max time network
122s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Dhl shipment documents.exe
Size

816KB
MD5

c36de042c317262fbeb25e0901e2441e
SHA1

c4f38f77ef79cd4b44e1f6344f492281946fd707
SHA256

353be7f64ffa25bf3d8ea90b55b9b288633883f00f328841007f82324a37a4d7
SHA512

b73e515912165b9a7838e4bde1ed590c7f65221243f56cc5bc9e735fc625c44b87758b04e6a1a1505ff44b42b10012c8855b04c6f3483180cf19a35e25f9b1ee

Score

5^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3816	dw20.exe
3816	dw20.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3952	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3952	2728	Dhl shipment documents.exe	67
PID 2728 wrote to memory of 3952	2728	Dhl shipment documents.exe	67
PID 2728 wrote to memory of 3952	2728	Dhl shipment documents.exe	67
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 2728 wrote to memory of 3836	2728	Dhl shipment documents.exe	69
PID 3836 wrote to memory of 3816	3836	Dhl shipment documents.exe	70
PID 3836 wrote to memory of 3816	3836	Dhl shipment documents.exe	70
PID 3836 wrote to memory of 3816	3836	Dhl shipment documents.exe	70

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 3836	2728	Dhl shipment documents.exe	69

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3816	dw20.exe
Token: SeBackupPrivilege	3816	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe
"C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qFmllAChfUoYL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7606.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 688
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3816-39-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-24-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-52-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-6-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3816-7-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3816-9-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3816-51-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-50-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-29-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-28-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-49-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-17-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-18-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3816-20-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-19-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-21-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-22-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-23-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-44-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-25-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-26-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-48-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-27-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-47-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-30-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-32-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-31-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-33-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-34-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-35-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-36-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-37-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-38-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-46-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-41-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-40-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-42-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-43-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3816-45-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3836-2-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download