d395cb074c93aac76ff1dc501e202c61a86e062896593cb75161d3747d2577e9

General

Target

DHL Details.exe
Size

1.1MB
MD5

41b6de13a1a77f13859e7507cb7801d1
SHA1

169255531a255c357293c87401f9da42d58f15a0
SHA256

d395cb074c93aac76ff1dc501e202c61a86e062896593cb75161d3747d2577e9
SHA512

c4976e9894e6e6e16ad400c48e80675c426db77db91a21339a4a806f0afbf16b65a942c3346752269c817f8bc9afc4c99eddcb4173a7c02814876afcfeaa24e0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1960 schtasks.exe

pid	process
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

DHL Details.exe

pid	process
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe
2004	DHL Details.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL Details.exe

description pid process

Token: SeDebugPrivilege 2004 DHL Details.exe

description	pid	process
Token: SeDebugPrivilege	2004	DHL Details.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

DHL Details.exe

description	pid	process	target process
PID 2004 wrote to memory of 1960	2004	DHL Details.exe	schtasks.exe
PID 2004 wrote to memory of 1960	2004	DHL Details.exe	schtasks.exe
PID 2004 wrote to memory of 1960	2004	DHL Details.exe	schtasks.exe
PID 2004 wrote to memory of 1960	2004	DHL Details.exe	schtasks.exe
PID 2004 wrote to memory of 328	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 328	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 328	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 328	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 816	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 816	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 816	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 816	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1496	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1496	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1496	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1496	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1488	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1488	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1488	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1488	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1236	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1236	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1236	2004	DHL Details.exe	DHL Details.exe
PID 2004 wrote to memory of 1236	2004	DHL Details.exe	DHL Details.exe

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKIXouo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2942.tmp"
2⤵
- Creates scheduled task(s)
PID:1960

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
2⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
2⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
2⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\DHL Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Details.exe"
2⤵
PID:1236

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2942.tmp
MD5
795279bfcba10a4f356f6c0c404f83be

SHA1
2f4bb662f9e51f7ec57c27a31d24c40400fe4c96

SHA256
f6e646c6f761d79a42dabd9bb6139870f9b2f106f68c030da4f9e1dbe173fcd8

SHA512
508c08a923540928a4f30ddfb17e1061d90974d05893d7ac1aec83ab2495091886e6dd8098adecfab48495c4881d8db49426bf51038cd9355004216eb8846313

Download Submit
memory/1960-8-0x0000000000000000-mapping.dmp

Download
memory/2004-2-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2004-6-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2004-7-0x0000000005410000-0x00000000054AE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads