Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 13:11
Static task
static1
Behavioral task
behavioral1
Sample
DHL Express.exe
Resource
win7-en-20211208
General
-
Target
DHL Express.exe
-
Size
248KB
-
MD5
bba45c96ad4627c4c0b1f25fb7a23c7a
-
SHA1
6f9c219a08aca7c57f6add9d8a730be6178713c6
-
SHA256
d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8
-
SHA512
4b823ce229d01060b72ea7ace20d81c9be83462af38c29fad0de9ae493c4db18ae2dbaa53cbb32086082b83246d6467a4a7c81bebf016bdd00c303aaa44a0e31
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/800-62-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
DHL Express.exepid process 1088 DHL Express.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Express.exeDHL Express.exehelp.exedescription pid process target process PID 1088 set thread context of 1096 1088 DHL Express.exe DHL Express.exe PID 1096 set thread context of 1248 1096 DHL Express.exe Explorer.EXE PID 800 set thread context of 1248 800 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
DHL Express.exehelp.exepid process 1096 DHL Express.exe 1096 DHL Express.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe 800 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Express.exehelp.exepid process 1096 DHL Express.exe 1096 DHL Express.exe 1096 DHL Express.exe 800 help.exe 800 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Express.exehelp.exedescription pid process Token: SeDebugPrivilege 1096 DHL Express.exe Token: SeDebugPrivilege 800 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL Express.exeExplorer.EXEhelp.exedescription pid process target process PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1088 wrote to memory of 1096 1088 DHL Express.exe DHL Express.exe PID 1248 wrote to memory of 800 1248 Explorer.EXE help.exe PID 1248 wrote to memory of 800 1248 Explorer.EXE help.exe PID 1248 wrote to memory of 800 1248 Explorer.EXE help.exe PID 1248 wrote to memory of 800 1248 Explorer.EXE help.exe PID 800 wrote to memory of 1508 800 help.exe cmd.exe PID 800 wrote to memory of 1508 800 help.exe cmd.exe PID 800 wrote to memory of 1508 800 help.exe cmd.exe PID 800 wrote to memory of 1508 800 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdFC99.tmp\arsuqoaglot.dllMD5
91a0e308489a8497f9fac56ae8b1d917
SHA1f9b110e6440c47bc8173b9f841b70f7593d8b030
SHA25689064afbf0ea46077e909aed5eed52181cf79e66c0390c256d769b4162fe4947
SHA512df2b4a2a800d098313be1c75e83b0e46213fd269236ea4fc988d4262a5ecc575f7449c24d471f747f6ac0b3e28f0c48958de7629874dbbdce800f33badc1cf0f
-
memory/800-61-0x00000000007C0000-0x00000000007C6000-memory.dmpFilesize
24KB
-
memory/800-62-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/800-63-0x0000000000960000-0x0000000000C63000-memory.dmpFilesize
3.0MB
-
memory/800-64-0x0000000000400000-0x0000000000951000-memory.dmpFilesize
5.3MB
-
memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/1096-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1096-58-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1096-59-0x0000000000370000-0x0000000000381000-memory.dmpFilesize
68KB
-
memory/1248-60-0x00000000061F0000-0x00000000062FB000-memory.dmpFilesize
1.0MB
-
memory/1248-65-0x00000000073D0000-0x00000000074DC000-memory.dmpFilesize
1.0MB