Analysis
-
max time kernel
156s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en -
submitted
06-09-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Delivery_Pdf.exe
Resource
win7v20210408
General
-
Target
DHL Shipment Delivery_Pdf.exe
-
Size
848KB
-
MD5
91476ab6caae4d5ed99c3e5180812144
-
SHA1
6ade7a1487ba2385c96ff47230377e51ef5d4709
-
SHA256
823536a9c4dfcb7ea455b209f3702d792b2db6ad5202f063b2368b82191966b5
-
SHA512
cc60af3448e5e25f3baf06e964c0a8fdb1b41056711e69d0e9859ba6acc118b3a66aae8eb8a4e9549ec97f3e5662c7dd4ba9a86a89e9f7c4f13f5bd9377d0cec
Malware Config
Extracted
xloader
2.3
u86g
http://www.99356a.com/u86g/
agenciaplim.com
fastpage.info
tiantianbd.com
hanedanpirlanta.com
project1accessories.com
rebeccadoumet.com
vrdnfz.com
jeaninesatl.com
isaakwallihconstruction.com
aegis.cloud
tigerandsnow.com
thehappyadventurer.com
ahhazu.com
hiveplushoney.com
k-plan-ning.com
peresvet.one
darkworkcustoms.com
deathbok.com
blackinkswizz.com
077sb.com
divecow.club
usbankaltituderewrds.com
nordaackalifestyle.com
melsamedia.com
spaziocanova.com
effinghamrotaryclub.com
organicbusinessstrategies.com
nevarsmith.com
bloqx.com
fortsdev.com
kingdomunified.com
missdecals.com
campbellsawmills.com
sharpestridesdetailing.com
castewaipoultryfarmllc.com
aregae.com
waterfiltration.systems
zxywxmr.com
davidedigiovanni.com
vfekhndzc.icu
guardamar.digital
ansb2b.com
nettute.com
getfluvidtested.com
ostadshagerd.com
bolsasytapers.com
deficryptocure.com
rahsiatokki1.com
virtual360hosting.info
rosettafeenathaniel.club
azschoolgy.com
cubanfilms.club
skooliehigh.com
kaybelledesignsllc.com
xn--lel-bla.com
2022.solar
myharitige.com
xn--iiqu5kngm42ez76a.com
kettlebellsamurai.com
nylonpicsporn.com
mimik33.com
minuwales.com
chelseashalza.com
friendchess.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1852-125-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1852-126-0x000000000041D020-mapping.dmp xloader behavioral2/memory/1792-133-0x0000000004430000-0x0000000004458000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeDHL Shipment Delivery_Pdf.exechkdsk.exedescription pid process target process PID 1812 set thread context of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1852 set thread context of 2708 1852 DHL Shipment Delivery_Pdf.exe Explorer.EXE PID 1792 set thread context of 2708 1792 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
DHL Shipment Delivery_Pdf.exechkdsk.exepid process 1852 DHL Shipment Delivery_Pdf.exe 1852 DHL Shipment Delivery_Pdf.exe 1852 DHL Shipment Delivery_Pdf.exe 1852 DHL Shipment Delivery_Pdf.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe 1792 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Shipment Delivery_Pdf.exechkdsk.exepid process 1852 DHL Shipment Delivery_Pdf.exe 1852 DHL Shipment Delivery_Pdf.exe 1852 DHL Shipment Delivery_Pdf.exe 1792 chkdsk.exe 1792 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Shipment Delivery_Pdf.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1852 DHL Shipment Delivery_Pdf.exe Token: SeDebugPrivilege 1792 chkdsk.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Shipment Delivery_Pdf.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 1812 wrote to memory of 1852 1812 DHL Shipment Delivery_Pdf.exe DHL Shipment Delivery_Pdf.exe PID 2708 wrote to memory of 1792 2708 Explorer.EXE chkdsk.exe PID 2708 wrote to memory of 1792 2708 Explorer.EXE chkdsk.exe PID 2708 wrote to memory of 1792 2708 Explorer.EXE chkdsk.exe PID 1792 wrote to memory of 2924 1792 chkdsk.exe cmd.exe PID 1792 wrote to memory of 2924 1792 chkdsk.exe cmd.exe PID 1792 wrote to memory of 2924 1792 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery_Pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1792-135-0x0000000004AD0000-0x0000000004B5F000-memory.dmpFilesize
572KB
-
memory/1792-133-0x0000000004430000-0x0000000004458000-memory.dmpFilesize
160KB
-
memory/1792-132-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1792-130-0x0000000000000000-mapping.dmp
-
memory/1792-134-0x0000000004C40000-0x0000000004F60000-memory.dmpFilesize
3.1MB
-
memory/1812-119-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/1812-122-0x0000000005A70000-0x0000000005A86000-memory.dmpFilesize
88KB
-
memory/1812-123-0x0000000007BD0000-0x0000000007C2F000-memory.dmpFilesize
380KB
-
memory/1812-124-0x000000000A400000-0x000000000A42A000-memory.dmpFilesize
168KB
-
memory/1812-121-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/1812-115-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1812-120-0x0000000005910000-0x0000000005E0E000-memory.dmpFilesize
5.0MB
-
memory/1812-118-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/1812-117-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/1852-126-0x000000000041D020-mapping.dmp
-
memory/1852-127-0x00000000013F0000-0x0000000001710000-memory.dmpFilesize
3.1MB
-
memory/1852-128-0x0000000000BF0000-0x0000000000C00000-memory.dmpFilesize
64KB
-
memory/1852-125-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2708-129-0x0000000004ED0000-0x0000000005013000-memory.dmpFilesize
1.3MB
-
memory/2708-136-0x0000000005020000-0x0000000005186000-memory.dmpFilesize
1.4MB
-
memory/2924-131-0x0000000000000000-mapping.dmp