Analysis
-
max time kernel
146s -
max time network
41s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:30
Static task
static1
Behavioral task
behavioral1
Sample
DHLs.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
DHLs.exe
Resource
win10
General
-
Target
DHLs.exe
-
Size
969KB
-
MD5
0fad3be245133a44503adbbe6c3f3629
-
SHA1
35940b44a83547d5e78ad8ba9c8e797d90325ee2
-
SHA256
de1d1aff1d7ab389137414faef7f0a2d192d6cf7ab5ed79549c4fdce17e36cd1
-
SHA512
6a043e8ef5bf84728b8a2bbc7ff4d137d9d9b57dab01b3a6449e3b89b11c5d6d64138e83f73fe359c2530ed7f52eb1ac2f95c741eaa3cec6ce490d8a0d6fdc74
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DHLs.exepid process 1304 DHLs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHLs.exedescription pid process target process PID 1304 set thread context of 1308 1304 DHLs.exe DHLs.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1308-0-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral1/memory/1308-3-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral1/memory/1308-4-0x0000000000400000-0x00000000004B1000-memory.dmp upx -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
DHLs.exeDHLs.exeDHLs.exepid process 1304 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1400 DHLs.exe 1308 DHLs.exe 1308 DHLs.exe 1400 DHLs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHLs.exeDHLs.exedescription pid process target process PID 1304 wrote to memory of 1308 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1308 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1308 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1308 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1400 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1400 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1400 1304 DHLs.exe DHLs.exe PID 1304 wrote to memory of 1400 1304 DHLs.exe DHLs.exe PID 1308 wrote to memory of 1260 1308 DHLs.exe netsh.exe PID 1308 wrote to memory of 1260 1308 DHLs.exe netsh.exe PID 1308 wrote to memory of 1260 1308 DHLs.exe netsh.exe PID 1308 wrote to memory of 1260 1308 DHLs.exe netsh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHLs.exedescription pid process Token: SeDebugPrivilege 1308 DHLs.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHLs.exe"C:\Users\Admin\AppData\Local\Temp\DHLs.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHLs.exe"C:\Users\Admin\AppData\Local\Temp\DHLs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
-
C:\Users\Admin\AppData\Local\Temp\DHLs.exe"C:\Users\Admin\AppData\Local\Temp\DHLs.exe" 2 1308 1058932⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-9-0x0000000000000000-mapping.dmp
-
memory/1308-0-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1308-1-0x00000000004AF740-mapping.dmp
-
memory/1308-3-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1308-4-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1308-5-0x00000000002D0000-0x0000000000322000-memory.dmpFilesize
328KB
-
memory/1308-6-0x0000000000632000-0x0000000000633000-memory.dmpFilesize
4KB
-
memory/1308-7-0x0000000000220000-0x000000000026C000-memory.dmpFilesize
304KB
-
memory/1400-2-0x0000000000000000-mapping.dmp