264b1ca9df86f0d722b98b6aebc1be86d4c342747b709113a4eca4d68fc0dbdc

General

Target

DHL Delivery Invoice.pdf.exe
Size

576KB
MD5

1c8452d15051907d3bc10de6ae00220f
SHA1

22f840194dd125a4f416c9cf4f2daff13b0fcfc7
SHA256

264b1ca9df86f0d722b98b6aebc1be86d4c342747b709113a4eca4d68fc0dbdc
SHA512

ad72f89ea67b42268c5c43e3417bb8f179607743b68ca0f358306f2183a76cebff53153ef811b1f7f583a346af507d0cb9757bcccf64eb5858ed9d473d30d14e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

600 1116 WerFault.exe DHL Delivery Invoice.pdf.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeWerFault.exe

pid process

1928 powershell.exe
600 WerFault.exe
600 WerFault.exe
600 WerFault.exe
600 WerFault.exe
600 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1928 powershell.exe
Token: SeDebugPrivilege 600 WerFault.exe

pid	pid_target	process	target process
600	1116	WerFault.exe	DHL Delivery Invoice.pdf.exe

pid	process
1292	schtasks.exe

pid	process
1928	powershell.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	600	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL Delivery Invoice.pdf.exe

description	pid	process	target process
PID 1116 wrote to memory of 1928	1116	DHL Delivery Invoice.pdf.exe	powershell.exe
PID 1116 wrote to memory of 1928	1116	DHL Delivery Invoice.pdf.exe	powershell.exe
PID 1116 wrote to memory of 1928	1116	DHL Delivery Invoice.pdf.exe	powershell.exe
PID 1116 wrote to memory of 1928	1116	DHL Delivery Invoice.pdf.exe	powershell.exe
PID 1116 wrote to memory of 1292	1116	DHL Delivery Invoice.pdf.exe	schtasks.exe
PID 1116 wrote to memory of 1292	1116	DHL Delivery Invoice.pdf.exe	schtasks.exe
PID 1116 wrote to memory of 1292	1116	DHL Delivery Invoice.pdf.exe	schtasks.exe
PID 1116 wrote to memory of 1292	1116	DHL Delivery Invoice.pdf.exe	schtasks.exe
PID 1116 wrote to memory of 600	1116	DHL Delivery Invoice.pdf.exe	WerFault.exe
PID 1116 wrote to memory of 600	1116	DHL Delivery Invoice.pdf.exe	WerFault.exe
PID 1116 wrote to memory of 600	1116	DHL Delivery Invoice.pdf.exe	WerFault.exe
PID 1116 wrote to memory of 600	1116	DHL Delivery Invoice.pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NaBFSpgH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NaBFSpgH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp"
2⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 964
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp
MD5
215ad50ca8204eabf6a0999d50527adc

SHA1
3ce71c708bcd8f50ae89ba1786419575f19cedd3

SHA256
33e717348ff31adf533a4bcef0da81ff4b94bc10b06d20a22e1b0d6d1de3b4db

SHA512
7e5c28dbd1053b9d90a13facbd8b1153a8f2f6efe60d66562325453a36019c4b8523ebda6bc7c1821a4e0f8c91c5aff999222f313766db9db1b4ae52a9ceaf17

Download Submit
memory/600-70-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/600-66-0x0000000000000000-mapping.dmp

Download
memory/1116-59-0x0000000004730000-0x00000000047A6000-memory.dmp

Filesize
472KB

Download
memory/1116-60-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1116-61-0x00000000054B0000-0x0000000005519000-memory.dmp

Filesize
420KB

Download
memory/1116-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1116-58-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1116-57-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1292-63-0x0000000000000000-mapping.dmp

Download
memory/1928-62-0x0000000000000000-mapping.dmp

Download
memory/1928-68-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1928-69-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1928-67-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads