Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:11
Static task
static1
Behavioral task
behavioral1
Sample
DHL Express.exe
Resource
win7-en-20211208
General
-
Target
DHL Express.exe
-
Size
248KB
-
MD5
bba45c96ad4627c4c0b1f25fb7a23c7a
-
SHA1
6f9c219a08aca7c57f6add9d8a730be6178713c6
-
SHA256
d80690916721f1f23e0c913d3f6c71428464e8141a49763c75e450ef21d984e8
-
SHA512
4b823ce229d01060b72ea7ace20d81c9be83462af38c29fad0de9ae493c4db18ae2dbaa53cbb32086082b83246d6467a4a7c81bebf016bdd00c303aaa44a0e31
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1804-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2164-122-0x0000000004D70000-0x0000000004D99000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
DHL Express.exepid process 2564 DHL Express.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Express.exeDHL Express.exechkdsk.exedescription pid process target process PID 2564 set thread context of 1804 2564 DHL Express.exe DHL Express.exe PID 1804 set thread context of 3040 1804 DHL Express.exe Explorer.EXE PID 2164 set thread context of 3040 2164 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
DHL Express.exechkdsk.exepid process 1804 DHL Express.exe 1804 DHL Express.exe 1804 DHL Express.exe 1804 DHL Express.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe 2164 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Express.exechkdsk.exepid process 1804 DHL Express.exe 1804 DHL Express.exe 1804 DHL Express.exe 2164 chkdsk.exe 2164 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Express.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1804 DHL Express.exe Token: SeDebugPrivilege 2164 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Express.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 2564 wrote to memory of 1804 2564 DHL Express.exe DHL Express.exe PID 3040 wrote to memory of 2164 3040 Explorer.EXE chkdsk.exe PID 3040 wrote to memory of 2164 3040 Explorer.EXE chkdsk.exe PID 3040 wrote to memory of 2164 3040 Explorer.EXE chkdsk.exe PID 2164 wrote to memory of 3028 2164 chkdsk.exe cmd.exe PID 2164 wrote to memory of 3028 2164 chkdsk.exe cmd.exe PID 2164 wrote to memory of 3028 2164 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Express.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsxE32F.tmp\arsuqoaglot.dllMD5
91a0e308489a8497f9fac56ae8b1d917
SHA1f9b110e6440c47bc8173b9f841b70f7593d8b030
SHA25689064afbf0ea46077e909aed5eed52181cf79e66c0390c256d769b4162fe4947
SHA512df2b4a2a800d098313be1c75e83b0e46213fd269236ea4fc988d4262a5ecc575f7449c24d471f747f6ac0b3e28f0c48958de7629874dbbdce800f33badc1cf0f
-
memory/1804-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1804-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/1804-120-0x00000000004E0000-0x0000000000626000-memory.dmpFilesize
1.3MB
-
memory/2164-121-0x0000000000D60000-0x0000000000D6A000-memory.dmpFilesize
40KB
-
memory/2164-122-0x0000000004D70000-0x0000000004D99000-memory.dmpFilesize
164KB
-
memory/2164-123-0x00000000056A0000-0x00000000059C0000-memory.dmpFilesize
3.1MB
-
memory/2164-124-0x0000000005370000-0x000000000569A000-memory.dmpFilesize
3.2MB
-
memory/3040-119-0x0000000004C20000-0x0000000004DBC000-memory.dmpFilesize
1.6MB
-
memory/3040-125-0x0000000004DC0000-0x0000000004ECC000-memory.dmpFilesize
1.0MB