Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
DHL invoice KULIR00895239.pdf.exe
Resource
win7-en-20210920
General
-
Target
DHL invoice KULIR00895239.pdf.exe
-
Size
438KB
-
MD5
f668e4c9cc8a691b159e2033f30f50b5
-
SHA1
3ef37ae10df8f196b68f69db29a7f369fa181970
-
SHA256
07826de5569163107133c374c0f4fde7f494118f127cce285a2a280d98b2dd3b
-
SHA512
92cef7c693652fbd31f878b2f5a759c6bacfc07e479a64cf0ce8ddb9cf35468c4a0630eac572185b90b1fc7e7076e3b6f6859d1ad39c7da7d1fdffb8cf67d90d
Malware Config
Extracted
xloader
2.5
m6t2
http://www.vmhenterprise.com/m6t2/
somethinghaatke.net
bluehubwriters.com
ptfitnet.com
coastelevatorinteriors.com
hellensilvamkd.com
feekyfeeky.com
studioemiko.com
high-clicks2.com
troyleedesigns.club
peopletrucksinsurance.com
lameducation.com
pundiajaib.com
photosonunderwear.com
hautegirlmarket.com
groopadamce.quest
ignitivehq.com
partyprintable.digital
unlimitedrehab.com
awaytraveltnpasumo6.xyz
hourly.limo
meituandh.xyz
gpwconstrutoraincorporadora.com
azshalomcenter.com
tripeater.com
howzat.academy
certifiedprotradebot.icu
aigreen-ls.com
kwuthh.com
septum.xyz
lifeguardingcoursenearme.com
cupsnax.com
037atk.xyz
movingtolincolnca.com
cherrywoodranchvacationhome.com
tryandmiss.com
socialviralup.com
huiying666.xyz
contact6.email
bindraussen.info
feltamazeballs.com
vulkan-mirror.space
financialwebservices.com
crownexpresssglobal.com
koffishop.com
theawesomesavings.com
respiratoryathome.net
takut9.com
pittboss-bbq.one
brailion.com
ophthalmologyignite.com
flg1819.com
1258200.com
soflovrlnd.com
phillermusic.com
kingstonwff.com
realsteelsoftwarecampaign.com
litunity.com
antiquitynaturalstone.biz
gemmagem.com
luxehairbyjen.com
zakwolff.com
ooiase.com
andrewsenphotography.com
paulapossetto.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/916-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/916-125-0x000000000041D450-mapping.dmp xloader behavioral2/memory/916-128-0x0000000000F00000-0x000000000104A000-memory.dmp xloader behavioral2/memory/2876-132-0x0000000000B30000-0x0000000000B59000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exeDHL invoice KULIR00895239.pdf.exemsdt.exedescription pid process target process PID 500 set thread context of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 916 set thread context of 3008 916 DHL invoice KULIR00895239.pdf.exe Explorer.EXE PID 2876 set thread context of 3008 2876 msdt.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exemsdt.exepid process 916 DHL invoice KULIR00895239.pdf.exe 916 DHL invoice KULIR00895239.pdf.exe 916 DHL invoice KULIR00895239.pdf.exe 916 DHL invoice KULIR00895239.pdf.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe 2876 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exemsdt.exepid process 916 DHL invoice KULIR00895239.pdf.exe 916 DHL invoice KULIR00895239.pdf.exe 916 DHL invoice KULIR00895239.pdf.exe 2876 msdt.exe 2876 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exemsdt.exedescription pid process Token: SeDebugPrivilege 916 DHL invoice KULIR00895239.pdf.exe Token: SeDebugPrivilege 2876 msdt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exeExplorer.EXEmsdt.exedescription pid process target process PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 500 wrote to memory of 916 500 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 3008 wrote to memory of 2876 3008 Explorer.EXE msdt.exe PID 3008 wrote to memory of 2876 3008 Explorer.EXE msdt.exe PID 3008 wrote to memory of 2876 3008 Explorer.EXE msdt.exe PID 2876 wrote to memory of 1524 2876 msdt.exe cmd.exe PID 2876 wrote to memory of 1524 2876 msdt.exe cmd.exe PID 2876 wrote to memory of 1524 2876 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/500-115-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/500-117-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/500-118-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/500-119-0x00000000055C0000-0x0000000005ABE000-memory.dmpFilesize
5.0MB
-
memory/500-120-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/500-121-0x00000000059C0000-0x00000000059C7000-memory.dmpFilesize
28KB
-
memory/500-122-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/500-123-0x00000000062C0000-0x000000000630B000-memory.dmpFilesize
300KB
-
memory/916-128-0x0000000000F00000-0x000000000104A000-memory.dmpFilesize
1.3MB
-
memory/916-125-0x000000000041D450-mapping.dmp
-
memory/916-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/916-127-0x0000000001510000-0x0000000001830000-memory.dmpFilesize
3.1MB
-
memory/1524-133-0x0000000000000000-mapping.dmp
-
memory/2876-130-0x0000000000000000-mapping.dmp
-
memory/2876-131-0x0000000001220000-0x0000000001393000-memory.dmpFilesize
1.4MB
-
memory/2876-132-0x0000000000B30000-0x0000000000B59000-memory.dmpFilesize
164KB
-
memory/2876-134-0x0000000004F00000-0x0000000005220000-memory.dmpFilesize
3.1MB
-
memory/2876-135-0x0000000004D60000-0x0000000004DF0000-memory.dmpFilesize
576KB
-
memory/3008-129-0x0000000005C20000-0x0000000005D66000-memory.dmpFilesize
1.3MB
-
memory/3008-136-0x0000000006BD0000-0x0000000006CE5000-memory.dmpFilesize
1.1MB