DHL Shipment Note.exe

max time kernel122s
max time network124s
platformwindows7_x64
resourcewin7-en-20211208
submitted08-01-2022 07:43

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

267KB

Completed

08-01-2022 07:45

Score

8^/10

MD5

088ef2cfabd6e8b52832f5e358bfff6b

SHA1

4c389ccc2ac9809b315b5ba1b3d3fe3edcf9876d

SHA256

3bdd75cf5a2b26bbf10f298f3071b2d7c7a79b33f880eb3f26c3276baceaac1f

Downloads MZ/PE file
Executes dropped EXE
9chv9cY5sXnVML6d.exe

Reported IOCs

pid process

1664 9chv9cY5sXnVML6d.exe
Loads dropped DLL
aspnet_compiler.exe

Reported IOCs

pid process

1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
Suspicious use of SetThreadContext
DHL Shipment Note.exe

Reported IOCs

description pid process target process

PID 1668 set thread context of 1592 1668 DHL Shipment Note.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses
9chv9cY5sXnVML6d.exe

Reported IOCs

pid process

1664 9chv9cY5sXnVML6d.exe
1664 9chv9cY5sXnVML6d.exe
Suspicious use of AdjustPrivilegeToken
DHL Shipment Note.exe9chv9cY5sXnVML6d.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1668 DHL Shipment Note.exe
Token: SeDebugPrivilege 1664 9chv9cY5sXnVML6d.exe

pid	process
1664	9chv9cY5sXnVML6d.exe

pid	process
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe

description	pid	process	target process
PID 1668 set thread context of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe

pid	process
1664	9chv9cY5sXnVML6d.exe
1664	9chv9cY5sXnVML6d.exe

description	pid	process
Token: SeDebugPrivilege	1668	DHL Shipment Note.exe
Token: SeDebugPrivilege	1664	9chv9cY5sXnVML6d.exe

Suspicious use of WriteProcessMemory

DHL Shipment Note.exeaspnet_compiler.exe9chv9cY5sXnVML6d.exe

Reported IOCs

description	pid	process	target process
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Note.exe

"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Note.exe"

Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1592

C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe

"C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

PID:532

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
memory/1592-64-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-62-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-63-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-61-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-65-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-60-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-67-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-68-0x000000000040AE9E-mapping.dmp

Download
memory/1592-69-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Download
memory/1592-70-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1592-66-0x0000000000400000-0x000000000043F000-memory.dmp

Download
memory/1664-81-0x000000001B8D0000-0x000000001BABE000-memory.dmp

Download
memory/1664-78-0x0000000001290000-0x0000000001482000-memory.dmp

Download
memory/1664-79-0x0000000001290000-0x0000000001482000-memory.dmp

Download
memory/1664-75-0x0000000000000000-mapping.dmp

Download
memory/1664-80-0x000000001B400000-0x000000001B402000-memory.dmp

Download
memory/1664-82-0x0000000000140000-0x000000000014E000-memory.dmp

Download
memory/1668-59-0x0000000000280000-0x000000000028E000-memory.dmp

Download
memory/1668-58-0x000000001B100000-0x000000001B102000-memory.dmp

Download
memory/1668-57-0x0000000000240000-0x0000000000280000-memory.dmp

Download
memory/1668-56-0x00000000002A0000-0x00000000002E4000-memory.dmp

Download
memory/1668-55-0x00000000002A0000-0x00000000002E4000-memory.dmp

Download

DHL Shipment Note.exe

Filter: none

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title