Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 05:59
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Shipping, PDF.exe
Resource
win7v20201028
General
-
Target
DHL Delivery Shipping, PDF.exe
-
Size
991KB
-
MD5
43df80ded0aa1f92951742b2dc2b916e
-
SHA1
0d37d5f1876431cd0345f72770e38302d07b194b
-
SHA256
3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
-
SHA512
16216eaa505ffb11ecd0b61b50387fe242079dcc17158dc783df6c08d9884eeac4612a6586450a7957c2d425e1957905ca023d0733137844615577205e6ed338
Malware Config
Extracted
remcos
mikegrace2021.ddns.net:1999
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Delivery Shipping, PDF.exedescription pid process target process PID 1740 set thread context of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL Delivery Shipping, PDF.exepid process 1740 DHL Delivery Shipping, PDF.exe 1740 DHL Delivery Shipping, PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL Delivery Shipping, PDF.exedescription pid process Token: SeDebugPrivilege 1740 DHL Delivery Shipping, PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DHL Delivery Shipping, PDF.exepid process 592 DHL Delivery Shipping, PDF.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL Delivery Shipping, PDF.exedescription pid process target process PID 1740 wrote to memory of 1668 1740 DHL Delivery Shipping, PDF.exe schtasks.exe PID 1740 wrote to memory of 1668 1740 DHL Delivery Shipping, PDF.exe schtasks.exe PID 1740 wrote to memory of 1668 1740 DHL Delivery Shipping, PDF.exe schtasks.exe PID 1740 wrote to memory of 1668 1740 DHL Delivery Shipping, PDF.exe schtasks.exe PID 1740 wrote to memory of 268 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 268 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 268 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 268 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe PID 1740 wrote to memory of 592 1740 DHL Delivery Shipping, PDF.exe DHL Delivery Shipping, PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJFAuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E6.tmp"2⤵
- Creates scheduled task(s)
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"2⤵PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:592
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3d1e9bc4a00f81d17ba27a8bb9742863
SHA157fce9b60eb659a28101e63d9389dfb129f44792
SHA2568862106b37ba011e5388a828a0552f9bd25068d1962593d44cc1a00aac5c63bc
SHA512d8ea6e9596ee5e9ce6b9ec6a86e92f656f5ee4ba4ed87e68ae69b2ef9c0dc6ae11965dd737505c7548713f6efaa01e6d4b5dd1cf66f658f31d7b1ccb6055687e