Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
DHL-E-NOTIFICATION.scr
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL-E-NOTIFICATION.scr
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL-E-NOTIFICATION.scr
-
Size
80KB
-
MD5
dd1695e8557df09f1104d4a77155de69
-
SHA1
d17f5e33f9c9bef7eb2bf8f8b8d0596e7a1ae70a
-
SHA256
473b4ab8742767a11514ea136e35f227add4d742c06ae7ceefc93553c8931e7b
-
SHA512
f80ef0f993f270dedc2b266594ddf61963efd3fa2479941fb96eaff805c3ff3c54a26bd24460fca80775cd7a641fecbbf0503eae432991830906225fceea7f2f
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DHL-E-NOTIFICATION.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce DHL-E-NOTIFICATION.scr Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Trioicous = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TRABECULA\\tjrnebuskes.vbs" DHL-E-NOTIFICATION.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrpid process 1852 DHL-E-NOTIFICATION.scr 1644 DHL-E-NOTIFICATION.scr 1644 DHL-E-NOTIFICATION.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL-E-NOTIFICATION.scrdescription pid process target process PID 1852 set thread context of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DHL-E-NOTIFICATION.scrpid process 1852 DHL-E-NOTIFICATION.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrpid process 1852 DHL-E-NOTIFICATION.scr 1644 DHL-E-NOTIFICATION.scr -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrcmd.exedescription pid process target process PID 1852 wrote to memory of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 1852 wrote to memory of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 1852 wrote to memory of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 1852 wrote to memory of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 1852 wrote to memory of 1644 1852 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 1644 wrote to memory of 1060 1644 DHL-E-NOTIFICATION.scr cmd.exe PID 1644 wrote to memory of 1060 1644 DHL-E-NOTIFICATION.scr cmd.exe PID 1644 wrote to memory of 1060 1644 DHL-E-NOTIFICATION.scr cmd.exe PID 1644 wrote to memory of 1060 1644 DHL-E-NOTIFICATION.scr cmd.exe PID 1060 wrote to memory of 428 1060 cmd.exe reg.exe PID 1060 wrote to memory of 428 1060 cmd.exe reg.exe PID 1060 wrote to memory of 428 1060 cmd.exe reg.exe PID 1060 wrote to memory of 428 1060 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key