Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Doc.exe
Resource
win7-en-20211208
General
-
Target
DHL Shipment Doc.exe
-
Size
817KB
-
MD5
53af702f438bffc2adb85ae9f5b8c879
-
SHA1
e6aae502e5ea273f1367efd874bf44745d409549
-
SHA256
95ebd87f0d2e1ef1fdbf4e35290a0e9deb65b021acf657e396e960142e80eedb
-
SHA512
4e67eaaff0c8c2297b2f31040debf32b74048aa7deb8bb9498368d19966108400c12592b55e0a29bd173271b6b8d120fac5b2d1096cf318cf7edcba1527e1283
Malware Config
Extracted
xloader
2.5
how6
wealthcabana.com
fourfortyfourcreations.com
cqqcsy.com
bhwzjd.com
niftyfashionrewards.com
andersongiftemporium.com
smarttradingcoin.com
ilarealty.com
sherrywine.net
fsecg.info
xoti.top
pirosconsulting.com
fundapie.com
bbgm4egda.xyz
legalfortmyers.com
improvizy.com
yxdyhs.com
lucky2balls.com
panelmall.com
davenportkartway.com
springfieldlottery.com
pentagonpublishers.com
icanmakeyoufamous.com
40m2k.com
projectcentered.com
webfactory.agency
metronixmedical.com
dalingtao.xyz
functionalsoft.com
klopert77.com
cortepuroiberico.com
viavelleiloes.online
bamedia.online
skolicalunjo.com
kayhardy.com
excellentappraisers.com
sademakale.com
zbycsb.com
empirejewelss.com
coached.info
20215414.online
dazzlehide.com
swickstyle.com
specialtyplastics.online
noordinarysenior.com
bluinfo.digital
chuxiaoxin.xyz
adwin-estate.com
girlwithaglow.com
auctions.email
topekasecurestorage.com
mountain-chicken.com
lhdtrj.com
mhtqph.club
solatopotato.com
mecitiris.com
hotrodathangtrungquoc.com
gapteknews.com
mantraexchange.online
cinematiccarpenter.com
wozka.xyz
car-tech.tech
jssatchell.media
joyokanji-cheer.com
floridanratraining.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4468-126-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4468-129-0x0000000001070000-0x000000000120B000-memory.dmp xloader behavioral2/memory/4364-132-0x0000000002C30000-0x0000000002C59000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Shipment Doc.exeDHL Shipment Doc.exeNETSTAT.EXEdescription pid process target process PID 3668 set thread context of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 4468 set thread context of 372 4468 DHL Shipment Doc.exe Explorer.EXE PID 4364 set thread context of 372 4364 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4364 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
DHL Shipment Doc.exeNETSTAT.EXEpid process 4468 DHL Shipment Doc.exe 4468 DHL Shipment Doc.exe 4468 DHL Shipment Doc.exe 4468 DHL Shipment Doc.exe 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE 4364 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Shipment Doc.exeNETSTAT.EXEpid process 4468 DHL Shipment Doc.exe 4468 DHL Shipment Doc.exe 4468 DHL Shipment Doc.exe 4364 NETSTAT.EXE 4364 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Shipment Doc.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4468 DHL Shipment Doc.exe Token: SeDebugPrivilege 4364 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Shipment Doc.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 3668 wrote to memory of 4468 3668 DHL Shipment Doc.exe DHL Shipment Doc.exe PID 372 wrote to memory of 4364 372 Explorer.EXE NETSTAT.EXE PID 372 wrote to memory of 4364 372 Explorer.EXE NETSTAT.EXE PID 372 wrote to memory of 4364 372 Explorer.EXE NETSTAT.EXE PID 4364 wrote to memory of 736 4364 NETSTAT.EXE cmd.exe PID 4364 wrote to memory of 736 4364 NETSTAT.EXE cmd.exe PID 4364 wrote to memory of 736 4364 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Doc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-130-0x0000000005A10000-0x0000000005B42000-memory.dmpFilesize
1.2MB
-
memory/372-135-0x0000000005B50000-0x0000000005C59000-memory.dmpFilesize
1.0MB
-
memory/3668-119-0x0000000005760000-0x0000000005C5E000-memory.dmpFilesize
5.0MB
-
memory/3668-120-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/3668-121-0x0000000005240000-0x000000000524A000-memory.dmpFilesize
40KB
-
memory/3668-122-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/3668-123-0x0000000005750000-0x000000000575C000-memory.dmpFilesize
48KB
-
memory/3668-124-0x0000000007A90000-0x0000000007B2C000-memory.dmpFilesize
624KB
-
memory/3668-125-0x0000000007B30000-0x0000000007B92000-memory.dmpFilesize
392KB
-
memory/3668-118-0x0000000000860000-0x0000000000934000-memory.dmpFilesize
848KB
-
memory/4364-131-0x0000000000C10000-0x0000000000C1B000-memory.dmpFilesize
44KB
-
memory/4364-132-0x0000000002C30000-0x0000000002C59000-memory.dmpFilesize
164KB
-
memory/4364-133-0x0000000003750000-0x0000000003A70000-memory.dmpFilesize
3.1MB
-
memory/4364-134-0x0000000003410000-0x00000000035A2000-memory.dmpFilesize
1.6MB
-
memory/4468-129-0x0000000001070000-0x000000000120B000-memory.dmpFilesize
1.6MB
-
memory/4468-128-0x00000000014B0000-0x00000000017D0000-memory.dmpFilesize
3.1MB
-
memory/4468-126-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB