Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-12-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Invoice.pdf.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
DHL Delivery Invoice.pdf.exe
Resource
win10-en-20211104
General
-
Target
DHL Delivery Invoice.pdf.exe
-
Size
576KB
-
MD5
1c8452d15051907d3bc10de6ae00220f
-
SHA1
22f840194dd125a4f416c9cf4f2daff13b0fcfc7
-
SHA256
264b1ca9df86f0d722b98b6aebc1be86d4c342747b709113a4eca4d68fc0dbdc
-
SHA512
ad72f89ea67b42268c5c43e3417bb8f179607743b68ca0f358306f2183a76cebff53153ef811b1f7f583a346af507d0cb9757bcccf64eb5858ed9d473d30d14e
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 600 1116 WerFault.exe DHL Delivery Invoice.pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWerFault.exepid process 1928 powershell.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe 600 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 600 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Delivery Invoice.pdf.exedescription pid process target process PID 1116 wrote to memory of 1928 1116 DHL Delivery Invoice.pdf.exe powershell.exe PID 1116 wrote to memory of 1928 1116 DHL Delivery Invoice.pdf.exe powershell.exe PID 1116 wrote to memory of 1928 1116 DHL Delivery Invoice.pdf.exe powershell.exe PID 1116 wrote to memory of 1928 1116 DHL Delivery Invoice.pdf.exe powershell.exe PID 1116 wrote to memory of 1292 1116 DHL Delivery Invoice.pdf.exe schtasks.exe PID 1116 wrote to memory of 1292 1116 DHL Delivery Invoice.pdf.exe schtasks.exe PID 1116 wrote to memory of 1292 1116 DHL Delivery Invoice.pdf.exe schtasks.exe PID 1116 wrote to memory of 1292 1116 DHL Delivery Invoice.pdf.exe schtasks.exe PID 1116 wrote to memory of 600 1116 DHL Delivery Invoice.pdf.exe WerFault.exe PID 1116 wrote to memory of 600 1116 DHL Delivery Invoice.pdf.exe WerFault.exe PID 1116 wrote to memory of 600 1116 DHL Delivery Invoice.pdf.exe WerFault.exe PID 1116 wrote to memory of 600 1116 DHL Delivery Invoice.pdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NaBFSpgH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NaBFSpgH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 9642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmpMD5
215ad50ca8204eabf6a0999d50527adc
SHA13ce71c708bcd8f50ae89ba1786419575f19cedd3
SHA25633e717348ff31adf533a4bcef0da81ff4b94bc10b06d20a22e1b0d6d1de3b4db
SHA5127e5c28dbd1053b9d90a13facbd8b1153a8f2f6efe60d66562325453a36019c4b8523ebda6bc7c1821a4e0f8c91c5aff999222f313766db9db1b4ae52a9ceaf17
-
memory/600-70-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/600-66-0x0000000000000000-mapping.dmp
-
memory/1116-59-0x0000000004730000-0x00000000047A6000-memory.dmpFilesize
472KB
-
memory/1116-60-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/1116-61-0x00000000054B0000-0x0000000005519000-memory.dmpFilesize
420KB
-
memory/1116-55-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1116-58-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/1116-57-0x0000000076231000-0x0000000076233000-memory.dmpFilesize
8KB
-
memory/1292-63-0x0000000000000000-mapping.dmp
-
memory/1928-62-0x0000000000000000-mapping.dmp
-
memory/1928-68-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB
-
memory/1928-69-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB
-
memory/1928-67-0x00000000023D0000-0x000000000301A000-memory.dmpFilesize
12.3MB