Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Resource
win7-en-20211208
General
-
Target
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
-
Size
17KB
-
MD5
aeaddb6a276a6dff4f24b8588c5e67f8
-
SHA1
00bb4c75c0227f965bc76bd2bef1a4aca9687d30
-
SHA256
b04aa6e695c5275ae754bd61c9f45bc3ebdfcc8aed769fae0d744284d072b15e
-
SHA512
47fefb178984e1eb736e17d78ee2ea1f269e7306f6c0b192b31748af3db33ef91d9d6213cfd96391fdaf71c00d9612a6d10012f4d2dc3f5707ca3de8eeb8fc01
Malware Config
Extracted
xloader
2.5
po6r
jnhuichuangxin.com
mubashir.art
extol.design
doyyindh.xyz
milanoautoexperts.com
4thefringe.com
453511.com
sellathonautocredit.com
velgian.com
6672pk.com
wodeluzhou.com
sumiyoshiku-hizaita.xyz
imoveldeprimeira.com
dgjssp.com
endokc.com
side-clicks.com
cashndashfinancial.com
vanhemelryck.info
agamitrading.com
woofgang.xyz
atnetworkinc.com
malleshtekumatla.com
com-home.xyz
buildyourmtg.com
viairazur.xyz
drproteaches.com
amaznsavings.com
karencharlestonrealtor.com
bootstrategy.com
mimtgexpert.com
sebzvault.com
brtaclub.com
gicarellc.com
annehonorato.com
rafalgar.com
bergenyouthorchestra.com
entrevistasesenciales.com
thekneedoctors.com
grosseilemireal.estate
celestialdrone.art
bouwdrogerhurenvlaanderen.com
koppakart.com
irishykater.quest
blinglj.com
editorparmindersingh.com
klnhanced.quest
divinebehaviorsolutions.com
amprope.com
futuracart.com
ditrhub.com
eaoeducationprogramme.com
smartplumbing.services
revelandlaceevents.com
bikedh.xyz
pacificdevelopmentstudio.com
palisadesskivacation.com
happy-pets.xyz
killyourselfnigger.com
sonicdrillinginstitute.com
alibabascientific.com
sh-leming.com
aseelrealestate.com
lohmueller.gmbh
ngoccompany.com
healthonline.store
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\verify.exe\"," DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1808-141-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2152-147-0x0000000000780000-0x00000000007A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exedescription pid process target process PID 660 set thread context of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 1808 set thread context of 992 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe Explorer.EXE PID 2152 set thread context of 992 2152 WWAHost.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exepid process 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe 2152 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 992 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exepid process 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe 2152 WWAHost.exe 2152 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exesvchost.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe Token: SeShutdownPrivilege 4052 svchost.exe Token: SeCreatePagefilePrivilege 4052 svchost.exe Token: SeShutdownPrivilege 4052 svchost.exe Token: SeCreatePagefilePrivilege 4052 svchost.exe Token: SeShutdownPrivilege 4052 svchost.exe Token: SeCreatePagefilePrivilege 4052 svchost.exe Token: SeDebugPrivilege 1808 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe Token: SeDebugPrivilege 2152 WWAHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeExplorer.EXEdescription pid process target process PID 660 wrote to memory of 2876 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 2876 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 2876 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 660 wrote to memory of 1808 660 DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe PID 992 wrote to memory of 2152 992 Explorer.EXE WWAHost.exe PID 992 wrote to memory of 2152 992 Explorer.EXE WWAHost.exe PID 992 wrote to memory of 2152 992 Explorer.EXE WWAHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-136-0x000000000C430000-0x000000000C480000-memory.dmpFilesize
320KB
-
memory/660-131-0x000000007444E000-0x000000007444F000-memory.dmpFilesize
4KB
-
memory/660-132-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/660-138-0x0000000006260000-0x00000000062F2000-memory.dmpFilesize
584KB
-
memory/660-130-0x0000000000A40000-0x0000000000A4A000-memory.dmpFilesize
40KB
-
memory/660-137-0x000000000C540000-0x000000000C5F2000-memory.dmpFilesize
712KB
-
memory/992-150-0x0000000008390000-0x0000000008482000-memory.dmpFilesize
968KB
-
memory/992-144-0x0000000008260000-0x0000000008333000-memory.dmpFilesize
844KB
-
memory/1808-145-0x00000000013B0000-0x00000000013C1000-memory.dmpFilesize
68KB
-
memory/1808-143-0x0000000001690000-0x00000000019DA000-memory.dmpFilesize
3.3MB
-
memory/1808-139-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1808-141-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1808-142-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2152-147-0x0000000000780000-0x00000000007A9000-memory.dmpFilesize
164KB
-
memory/2152-146-0x0000000000650000-0x000000000072C000-memory.dmpFilesize
880KB
-
memory/2152-148-0x0000000001610000-0x000000000195A000-memory.dmpFilesize
3.3MB
-
memory/2152-149-0x0000000001470000-0x0000000001500000-memory.dmpFilesize
576KB
-
memory/4052-135-0x000001E3505C0000-0x000001E3505C4000-memory.dmpFilesize
16KB
-
memory/4052-134-0x000001E34DF20000-0x000001E34DF30000-memory.dmpFilesize
64KB
-
memory/4052-133-0x000001E34D960000-0x000001E34D970000-memory.dmpFilesize
64KB