Analysis
-
max time kernel
156s -
max time network
201s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-09-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Delivery_Pdf.exe
Resource
win7v20210408
General
-
Target
DHL Shipment Delivery_Pdf.exe
-
Size
848KB
-
MD5
91476ab6caae4d5ed99c3e5180812144
-
SHA1
6ade7a1487ba2385c96ff47230377e51ef5d4709
-
SHA256
823536a9c4dfcb7ea455b209f3702d792b2db6ad5202f063b2368b82191966b5
-
SHA512
cc60af3448e5e25f3baf06e964c0a8fdb1b41056711e69d0e9859ba6acc118b3a66aae8eb8a4e9549ec97f3e5662c7dd4ba9a86a89e9f7c4f13f5bd9377d0cec
Malware Config
Extracted
xloader
2.3
u86g
http://www.99356a.com/u86g/
agenciaplim.com
fastpage.info
tiantianbd.com
hanedanpirlanta.com
project1accessories.com
rebeccadoumet.com
vrdnfz.com
jeaninesatl.com
isaakwallihconstruction.com
aegis.cloud
tigerandsnow.com
thehappyadventurer.com
ahhazu.com
hiveplushoney.com
k-plan-ning.com
peresvet.one
darkworkcustoms.com
deathbok.com
blackinkswizz.com
077sb.com
divecow.club
usbankaltituderewrds.com
nordaackalifestyle.com
melsamedia.com
spaziocanova.com
effinghamrotaryclub.com
organicbusinessstrategies.com
nevarsmith.com
bloqx.com
fortsdev.com
kingdomunified.com
missdecals.com
campbellsawmills.com
sharpestridesdetailing.com
castewaipoultryfarmllc.com
aregae.com
waterfiltration.systems
zxywxmr.com
davidedigiovanni.com
vfekhndzc.icu
guardamar.digital
ansb2b.com
nettute.com
getfluvidtested.com
ostadshagerd.com
bolsasytapers.com
deficryptocure.com
rahsiatokki1.com
virtual360hosting.info
rosettafeenathaniel.club
azschoolgy.com
cubanfilms.club
skooliehigh.com
kaybelledesignsllc.com
xn--lel-bla.com
2022.solar
myharitige.com
xn--iiqu5kngm42ez76a.com
kettlebellsamurai.com
nylonpicsporn.com
mimik33.com
minuwales.com
chelseashalza.com
friendchess.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/552-67-0x000000000041D020-mapping.dmp xloader behavioral1/memory/552-66-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1552-76-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeDHL Shipment Delivery_Pdf.exeNETSTAT.EXEdescription pid process target process PID 1276 set thread context of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 552 set thread context of 1196 552 DHL Shipment Delivery_Pdf.exe Explorer.EXE PID 552 set thread context of 1196 552 DHL Shipment Delivery_Pdf.exe Explorer.EXE PID 1552 set thread context of 1196 1552 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1552 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeDHL Shipment Delivery_Pdf.exeNETSTAT.EXEpid process 1276 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE 1552 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeNETSTAT.EXEpid process 552 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 552 DHL Shipment Delivery_Pdf.exe 1552 NETSTAT.EXE 1552 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeDHL Shipment Delivery_Pdf.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1276 DHL Shipment Delivery_Pdf.exe Token: SeDebugPrivilege 552 DHL Shipment Delivery_Pdf.exe Token: SeDebugPrivilege 1552 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1276 wrote to memory of 560 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 560 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 560 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 560 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1276 wrote to memory of 552 1276 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1196 wrote to memory of 1552 1196 Explorer.EXE NETSTAT.EXE PID 1196 wrote to memory of 1552 1196 Explorer.EXE NETSTAT.EXE PID 1196 wrote to memory of 1552 1196 Explorer.EXE NETSTAT.EXE PID 1196 wrote to memory of 1552 1196 Explorer.EXE NETSTAT.EXE PID 1552 wrote to memory of 588 1552 NETSTAT.EXE cmd.exe PID 1552 wrote to memory of 588 1552 NETSTAT.EXE cmd.exe PID 1552 wrote to memory of 588 1552 NETSTAT.EXE cmd.exe PID 1552 wrote to memory of 588 1552 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-71-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/552-67-0x000000000041D020-mapping.dmp
-
memory/552-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/552-69-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/552-68-0x0000000000A70000-0x0000000000D73000-memory.dmpFilesize
3.0MB
-
memory/588-74-0x0000000000000000-mapping.dmp
-
memory/1196-70-0x0000000006350000-0x00000000064AF000-memory.dmpFilesize
1.4MB
-
memory/1196-79-0x0000000004E60000-0x0000000004F55000-memory.dmpFilesize
980KB
-
memory/1196-72-0x0000000006A40000-0x0000000006BB1000-memory.dmpFilesize
1.4MB
-
memory/1276-65-0x0000000000730000-0x000000000075A000-memory.dmpFilesize
168KB
-
memory/1276-60-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1276-64-0x0000000005330000-0x000000000538F000-memory.dmpFilesize
380KB
-
memory/1276-63-0x0000000000500000-0x0000000000516000-memory.dmpFilesize
88KB
-
memory/1276-62-0x0000000001FC0000-0x0000000001FC1000-memory.dmpFilesize
4KB
-
memory/1552-73-0x0000000000000000-mapping.dmp
-
memory/1552-75-0x0000000000C20000-0x0000000000C29000-memory.dmpFilesize
36KB
-
memory/1552-76-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1552-77-0x00000000021C0000-0x00000000024C3000-memory.dmpFilesize
3.0MB
-
memory/1552-78-0x0000000000B70000-0x0000000000BFF000-memory.dmpFilesize
572KB