Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
31-01-2022 15:24
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Documents.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
DHL Delivery Documents.exe
Resource
win10v2004-en-20220112
General
-
Target
DHL Delivery Documents.exe
-
Size
78KB
-
MD5
94743aae8b0eb58bf9849035dc640b3c
-
SHA1
089f398df4eb9cf0511038cff177ecd3fbc9715c
-
SHA256
b34bc888551b9a603edf76a356a4c0fc290fac420d3c6df0decd0916970bfb9b
-
SHA512
23b72e99ec9ad81a97d3b4902c020c7f27b3b156ca81bc5c818f9ecd88b40f6cfb3b9b436511e952de31a9c7841cf80e9019c0ad2a54d075ba5f1bf7e9e562b0
Malware Config
Extracted
xloader
2.5
zqzw
laurentmathieu.com
nohohonndana.com
hhmc.info
shophallows.com
blazebunk.com
goodbridge.xyz
flakycloud.com
bakermckenziegroups.com
formation-adistance.com
lovingearthbotanicals.com
tbrservice.plus
heritagehousehotels.com
drwbuildersco.com
lacsghb.com
wain3x.com
dadreview.club
continiutycp.com
cockgirls.com
48mpt.xyz
033skz.xyz
gmconstructionlnc.com
ms-mint.com
aenrione.xyz
honxuan.com
snowmanvila.com
cig-online.com
valetvolley.com
bjsnft.com
bennystrom.com
flw.ink
clarissagrandiart.com
samfamstudio.com
pamschams.com
edgar-regale.com
combi-tech.tech
00xwq.online
eclipseconstrucciones.com
plick-click.com
dive.education
regenelis.com
blue-chipwordtoscan-today.info
xn--rsso51aevf65u.com
maonagrana.com
lucasdebatintrader.com
cassijohnson.com
roeten.online
into-concrete.xyz
motovip.store
floryfab.com
slkykq.com
vidyakala.com
stairwaystowealth.com
meganandbobbyprine.com
arestradings.com
emilyschlueter.com
platanin.com
hnhstudios.com
dmembutidos.com
dcassorealtor.com
megamobil.wien
001skz.xyz
5t45urfgurkhgbvkhbuh.com
a3hd.com
newmexicotruckwrecklawyers.com
trabaho-academy.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/320-132-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2596-155-0x0000000002B60000-0x0000000002B89000-memory.dmp xloader -
Sets service image path in registry 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Delivery Documents.exeaspnet_compiler.exeWWAHost.exedescription pid process target process PID 3504 set thread context of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 320 set thread context of 2440 320 aspnet_compiler.exe Explorer.EXE PID 2596 set thread context of 2440 2596 WWAHost.exe Explorer.EXE -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
aspnet_compiler.exeWWAHost.exepid process 320 aspnet_compiler.exe 320 aspnet_compiler.exe 320 aspnet_compiler.exe 320 aspnet_compiler.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe 2596 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2440 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_compiler.exeWWAHost.exepid process 320 aspnet_compiler.exe 320 aspnet_compiler.exe 320 aspnet_compiler.exe 2596 WWAHost.exe 2596 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DHL Delivery Documents.exeaspnet_compiler.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 3504 DHL Delivery Documents.exe Token: SeDebugPrivilege 320 aspnet_compiler.exe Token: SeDebugPrivilege 2596 WWAHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL Delivery Documents.exeExplorer.EXEWWAHost.exedescription pid process target process PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 3504 wrote to memory of 320 3504 DHL Delivery Documents.exe aspnet_compiler.exe PID 2440 wrote to memory of 2596 2440 Explorer.EXE WWAHost.exe PID 2440 wrote to memory of 2596 2440 Explorer.EXE WWAHost.exe PID 2440 wrote to memory of 2596 2440 Explorer.EXE WWAHost.exe PID 2596 wrote to memory of 2912 2596 WWAHost.exe cmd.exe PID 2596 wrote to memory of 2912 2596 WWAHost.exe cmd.exe PID 2596 wrote to memory of 2912 2596 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Documents.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Documents.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f87852be5b1160b56a8734c3ced8b7ac SQSLfwJpYki1XtwICMDPjw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-132-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/320-134-0x0000000001030000-0x00000000017DA000-memory.dmpFilesize
7.7MB
-
memory/320-135-0x0000000001030000-0x00000000017DA000-memory.dmpFilesize
7.7MB
-
memory/2440-136-0x0000000007CA0000-0x0000000007D75000-memory.dmpFilesize
852KB
-
memory/2440-225-0x0000000007D80000-0x0000000007E32000-memory.dmpFilesize
712KB
-
memory/2596-155-0x0000000002B60000-0x0000000002B89000-memory.dmpFilesize
164KB
-
memory/2596-153-0x0000000000700000-0x00000000007DC000-memory.dmpFilesize
880KB
-
memory/2596-158-0x0000000003D80000-0x00000000040CA000-memory.dmpFilesize
3.3MB
-
memory/2596-224-0x0000000003AB0000-0x0000000003B40000-memory.dmpFilesize
576KB
-
memory/3504-130-0x0000000000D10000-0x0000000000D28000-memory.dmpFilesize
96KB
-
memory/3504-131-0x000000001DEC0000-0x000000001DEC2000-memory.dmpFilesize
8KB