Analysis
-
max time kernel
156s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Resource
win7-en-20211208
General
-
Target
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
-
Size
30KB
-
MD5
c2ed847cba51543076504a7150261f22
-
SHA1
93e063e8f777b42cab7f7ed8fa45a2397942dead
-
SHA256
dfe742ea984310b86ce1d553b87e63f4cdefcf8485b7c860438234377a10a358
-
SHA512
4dca34f7a0c0ecf2018de5a0e2ba5a9145cfdac508dafa1f5de5fad4072703f6621587b164a742d094cb557e8cedba5630cd7477fbf355a6311ac457c0cb5670
Malware Config
Extracted
xloader
2.5
po6r
jnhuichuangxin.com
mubashir.art
extol.design
doyyindh.xyz
milanoautoexperts.com
4thefringe.com
453511.com
sellathonautocredit.com
velgian.com
6672pk.com
wodeluzhou.com
sumiyoshiku-hizaita.xyz
imoveldeprimeira.com
dgjssp.com
endokc.com
side-clicks.com
cashndashfinancial.com
vanhemelryck.info
agamitrading.com
woofgang.xyz
atnetworkinc.com
malleshtekumatla.com
com-home.xyz
buildyourmtg.com
viairazur.xyz
drproteaches.com
amaznsavings.com
karencharlestonrealtor.com
bootstrategy.com
mimtgexpert.com
sebzvault.com
brtaclub.com
gicarellc.com
annehonorato.com
rafalgar.com
bergenyouthorchestra.com
entrevistasesenciales.com
thekneedoctors.com
grosseilemireal.estate
celestialdrone.art
bouwdrogerhurenvlaanderen.com
koppakart.com
irishykater.quest
blinglj.com
editorparmindersingh.com
klnhanced.quest
divinebehaviorsolutions.com
amprope.com
futuracart.com
ditrhub.com
eaoeducationprogramme.com
smartplumbing.services
revelandlaceevents.com
bikedh.xyz
pacificdevelopmentstudio.com
palisadesskivacation.com
happy-pets.xyz
killyourselfnigger.com
sonicdrillinginstitute.com
alibabascientific.com
sh-leming.com
aseelrealestate.com
lohmueller.gmbh
ngoccompany.com
healthonline.store
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\kellybrown.exe\"," DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3864-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/920-141-0x0000000002E40000-0x0000000002E69000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exedescription pid process target process PID 3080 set thread context of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3864 set thread context of 2436 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe Explorer.EXE PID 920 set thread context of 2436 920 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4380" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "13.332750" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4152" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.666726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006545" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896864758800513" svchost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exepid process 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe 920 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2436 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exepid process 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 3864 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 920 cmmon32.exe 920 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe Token: SeBackupPrivilege 2632 TiWorker.exe Token: SeRestorePrivilege 2632 TiWorker.exe Token: SeSecurityPrivilege 2632 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeExplorer.EXEdescription pid process target process PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 3080 wrote to memory of 3864 3080 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 2436 wrote to memory of 920 2436 Explorer.EXE cmmon32.exe PID 2436 wrote to memory of 920 2436 Explorer.EXE cmmon32.exe PID 2436 wrote to memory of 920 2436 Explorer.EXE cmmon32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3864 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:920
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3384
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-143-0x0000000004B90000-0x0000000004C20000-memory.dmpFilesize
576KB
-
memory/920-142-0x0000000004CB0000-0x0000000004FFA000-memory.dmpFilesize
3.3MB
-
memory/920-141-0x0000000002E40000-0x0000000002E69000-memory.dmpFilesize
164KB
-
memory/920-140-0x0000000000200000-0x000000000020C000-memory.dmpFilesize
48KB
-
memory/2436-139-0x0000000002A50000-0x0000000002B16000-memory.dmpFilesize
792KB
-
memory/2436-144-0x0000000007900000-0x0000000007A5F000-memory.dmpFilesize
1.4MB
-
memory/3080-133-0x000000000BFE0000-0x000000000C072000-memory.dmpFilesize
584KB
-
memory/3080-130-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/3080-132-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3080-131-0x0000000000CD0000-0x0000000000CDE000-memory.dmpFilesize
56KB
-
memory/3864-138-0x0000000001260000-0x0000000001271000-memory.dmpFilesize
68KB
-
memory/3864-137-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3864-135-0x00000000012F0000-0x000000000163A000-memory.dmpFilesize
3.3MB
-
memory/3864-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB