Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
DHL-E-NOTIFICATION.scr
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL-E-NOTIFICATION.scr
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL-E-NOTIFICATION.scr
-
Size
80KB
-
MD5
dd1695e8557df09f1104d4a77155de69
-
SHA1
d17f5e33f9c9bef7eb2bf8f8b8d0596e7a1ae70a
-
SHA256
473b4ab8742767a11514ea136e35f227add4d742c06ae7ceefc93553c8931e7b
-
SHA512
f80ef0f993f270dedc2b266594ddf61963efd3fa2479941fb96eaff805c3ff3c54a26bd24460fca80775cd7a641fecbbf0503eae432991830906225fceea7f2f
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DHL-E-NOTIFICATION.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce DHL-E-NOTIFICATION.scr Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Trioicous = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TRABECULA\\tjrnebuskes.vbs" DHL-E-NOTIFICATION.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrpid process 4644 DHL-E-NOTIFICATION.scr 3304 DHL-E-NOTIFICATION.scr 3304 DHL-E-NOTIFICATION.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL-E-NOTIFICATION.scrdescription pid process target process PID 4644 set thread context of 3304 4644 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DHL-E-NOTIFICATION.scrpid process 3304 DHL-E-NOTIFICATION.scr -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DHL-E-NOTIFICATION.scrpid process 4644 DHL-E-NOTIFICATION.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrpid process 4644 DHL-E-NOTIFICATION.scr 3304 DHL-E-NOTIFICATION.scr -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DHL-E-NOTIFICATION.scrDHL-E-NOTIFICATION.scrcmd.exedescription pid process target process PID 4644 wrote to memory of 3304 4644 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 4644 wrote to memory of 3304 4644 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 4644 wrote to memory of 3304 4644 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 4644 wrote to memory of 3304 4644 DHL-E-NOTIFICATION.scr DHL-E-NOTIFICATION.scr PID 3304 wrote to memory of 4080 3304 DHL-E-NOTIFICATION.scr cmd.exe PID 3304 wrote to memory of 4080 3304 DHL-E-NOTIFICATION.scr cmd.exe PID 3304 wrote to memory of 4080 3304 DHL-E-NOTIFICATION.scr cmd.exe PID 4080 wrote to memory of 3020 4080 cmd.exe reg.exe PID 4080 wrote to memory of 3020 4080 cmd.exe reg.exe PID 4080 wrote to memory of 3020 4080 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr"C:\Users\Admin\AppData\Local\Temp\DHL-E-NOTIFICATION.scr" /S2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key