Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-02-2021 19:51
Static task
static1
Behavioral task
behavioral1
Sample
Additional DHL shipment Delivery Parcel.exe
Resource
win7v20201028
General
-
Target
Additional DHL shipment Delivery Parcel.exe
-
Size
510KB
-
MD5
b2fd9aab2f1597f74abda918ddc52f89
-
SHA1
acdf16e4c3a8e0428f7cf1934fdcfe0731b2fc28
-
SHA256
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
-
SHA512
3297c94b09f6845905f621020821c0ae05a95a0c4e96436f57460aeae5786e7be3acf1d159a0b2282636e2d765715d8d4242be80cfa549fa5d301d05baa175ff
Malware Config
Extracted
formbook
http://www.webperb.com/nehc/
havenmaple.com
katrinasmarket.com
ccharlet.com
everestmedicalgroupusa.net
powervoc.com
crypto300cluv.com
davidrichterlaw.com
parkcitysongfest.com
videogeniusawards.com
beleave.club
gooddeedprocessing.com
synthsup.com
eceiptsworld.com
infinityanalytics.co.uk
damghair.com
sabaidate.com
guitarsir.com
thebowlingspot.com
denturelabmiami.com
mo-cooking.com
eronbon.com
appleunveils.com
gelisim-elektronik.com
cardinalvaletlax.com
ehot-tech.com
boefem.com
milliemaiden.com
phoenixpure.net
versalita.net
avon.sucks
larutasustentable.com
townleolawi.com
hyejeongfood.com
strategrowth.com
twofiveninetwo.com
bymirzaoglu.com
centrodesaludcrecer.com
pensacolahandymanservices.com
march.wtf
layer.icu
sweetpeamagnoliaco.com
palaceelysee.website
silkayra.com
integratednourishment.com
eitalasqueira.com
edfenr-invest.com
rezervacnisystem.online
viassoft.com
sfmfm.com
sangharshbharatnews.com
underdessous.com
luisxe.info
eliveyeyn.com
lavesteenjean.com
h2oworks.net
imtheonlyperson.technology
premoo.com
weareprof.com
newcotechnology.com
monnaisjouetsherbrooke.com
juegoroblox.com
ryacorcosquin.com
livetechstop.com
hnuman.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-9-0x000000000041ECB0-mapping.dmp formbook behavioral1/memory/1588-8-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1460-16-0x00000000001A0000-0x00000000001CE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exedescription pid process target process PID 1728 set thread context of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1588 set thread context of 1276 1588 Additional DHL shipment Delivery Parcel.exe Explorer.EXE PID 1460 set thread context of 1276 1460 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exepid process 1728 Additional DHL shipment Delivery Parcel.exe 1588 Additional DHL shipment Delivery Parcel.exe 1588 Additional DHL shipment Delivery Parcel.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe 1460 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Additional DHL shipment Delivery Parcel.execscript.exepid process 1588 Additional DHL shipment Delivery Parcel.exe 1588 Additional DHL shipment Delivery Parcel.exe 1588 Additional DHL shipment Delivery Parcel.exe 1460 cscript.exe 1460 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exedescription pid process Token: SeDebugPrivilege 1728 Additional DHL shipment Delivery Parcel.exe Token: SeDebugPrivilege 1588 Additional DHL shipment Delivery Parcel.exe Token: SeDebugPrivilege 1460 cscript.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Additional DHL shipment Delivery Parcel.exeExplorer.EXEcscript.exedescription pid process target process PID 1728 wrote to memory of 1684 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1684 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1684 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1684 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1728 wrote to memory of 1588 1728 Additional DHL shipment Delivery Parcel.exe Additional DHL shipment Delivery Parcel.exe PID 1276 wrote to memory of 1460 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1460 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1460 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1460 1276 Explorer.EXE cscript.exe PID 1460 wrote to memory of 1616 1460 cscript.exe cmd.exe PID 1460 wrote to memory of 1616 1460 cscript.exe cmd.exe PID 1460 wrote to memory of 1616 1460 cscript.exe cmd.exe PID 1460 wrote to memory of 1616 1460 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-13-0x0000000006B40000-0x0000000006CED000-memory.dmpFilesize
1.7MB
-
memory/1460-19-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB
-
memory/1460-15-0x0000000000150000-0x0000000000172000-memory.dmpFilesize
136KB
-
memory/1460-17-0x0000000002080000-0x0000000002383000-memory.dmpFilesize
3.0MB
-
memory/1460-16-0x00000000001A0000-0x00000000001CE000-memory.dmpFilesize
184KB
-
memory/1460-14-0x0000000000000000-mapping.dmp
-
memory/1588-12-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1588-11-0x0000000000B00000-0x0000000000E03000-memory.dmpFilesize
3.0MB
-
memory/1588-8-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1588-9-0x000000000041ECB0-mapping.dmp
-
memory/1616-18-0x0000000000000000-mapping.dmp
-
memory/1728-2-0x0000000074120000-0x000000007480E000-memory.dmpFilesize
6.9MB
-
memory/1728-7-0x0000000005380000-0x00000000053D4000-memory.dmpFilesize
336KB
-
memory/1728-6-0x0000000000340000-0x0000000000343000-memory.dmpFilesize
12KB
-
memory/1728-5-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/1728-3-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB