3bdd75cf5a2b26bbf10f298f3071b2d7c7a79b33f880eb3f26c3276baceaac1f

General

Target

DHL Shipment Note.exe
Size

267KB
MD5

088ef2cfabd6e8b52832f5e358bfff6b
SHA1

4c389ccc2ac9809b315b5ba1b3d3fe3edcf9876d
SHA256

3bdd75cf5a2b26bbf10f298f3071b2d7c7a79b33f880eb3f26c3276baceaac1f
SHA512

0101392d09c48ab7d70582f267dc86d765c77161cfc34ec8cc0ff0a527a46178b4c487a0810a946caab28c4ae6d03cb7134dad0dee13e5563a53135b1c1f992c

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

9chv9cY5sXnVML6d.exe

pid process

1664 9chv9cY5sXnVML6d.exe
Loads dropped DLL 4 IoCs

Processes:

aspnet_compiler.exe

pid process

1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
1592 aspnet_compiler.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Shipment Note.exe

description pid process target process

PID 1668 set thread context of 1592 1668 DHL Shipment Note.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9chv9cY5sXnVML6d.exe

pid process

1664 9chv9cY5sXnVML6d.exe
1664 9chv9cY5sXnVML6d.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL Shipment Note.exe9chv9cY5sXnVML6d.exe

description pid process

Token: SeDebugPrivilege 1668 DHL Shipment Note.exe
Token: SeDebugPrivilege 1664 9chv9cY5sXnVML6d.exe

pid	process
1664	9chv9cY5sXnVML6d.exe

pid	process
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe
1592	aspnet_compiler.exe

description	pid	process	target process
PID 1668 set thread context of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe

pid	process
1664	9chv9cY5sXnVML6d.exe
1664	9chv9cY5sXnVML6d.exe

description	pid	process
Token: SeDebugPrivilege	1668	DHL Shipment Note.exe
Token: SeDebugPrivilege	1664	9chv9cY5sXnVML6d.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

DHL Shipment Note.exeaspnet_compiler.exe9chv9cY5sXnVML6d.exe

description	pid	process	target process
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1668 wrote to memory of 1592	1668	DHL Shipment Note.exe	aspnet_compiler.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1592 wrote to memory of 1664	1592	aspnet_compiler.exe	9chv9cY5sXnVML6d.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 532	1664	9chv9cY5sXnVML6d.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Note.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Note.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
"C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
\Users\Admin\AppData\Local\Temp\9chv9cY5sXnVML6d.exe
MD5
a65b75567794b4d9f2558c672bd07dd5

SHA1
e217c9fde4b32680a11adf2200e673519f595bd3

SHA256
cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

SHA512
4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Download Submit
memory/1592-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-68-0x000000000040AE9E-mapping.dmp

Download
memory/1592-69-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1592-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-75-0x0000000000000000-mapping.dmp

Download
memory/1664-78-0x0000000001290000-0x0000000001482000-memory.dmp

Filesize
1.9MB

Download
memory/1664-79-0x0000000001290000-0x0000000001482000-memory.dmp

Filesize
1.9MB

Download
memory/1664-80-0x000000001B400000-0x000000001B402000-memory.dmp

Filesize
8KB

Download
memory/1664-81-0x000000001B8D0000-0x000000001BABE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-82-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1668-55-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1668-59-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1668-58-0x000000001B100000-0x000000001B102000-memory.dmp

Filesize
8KB

Download
memory/1668-57-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/1668-56-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads