Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:24
Static task
static1
Behavioral task
behavioral1
Sample
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe
Resource
win10v2004-20220414-en
General
-
Target
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe
-
Size
850KB
-
MD5
3873065a859c7028cd9db46bf2950e36
-
SHA1
88c9d384602aa6f47c8d12af7df6b7df9cb2891f
-
SHA256
acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19
-
SHA512
5c4d8c076765299ca2f871ba4d5d47ec8c108908767b55c13486a2e293e1f048c0f7a51c5cb48c212854919d11e0830143c0c5200153fde2dbbf82aa8b9a7d91
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exedescription pid process target process PID 2744 set thread context of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exepowershell.exepid process 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 4896 powershell.exe 4896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exepowershell.exedescription pid process Token: SeDebugPrivilege 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe Token: SeDebugPrivilege 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe Token: SeDebugPrivilege 4896 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.execmd.exedescription pid process target process PID 2744 wrote to memory of 3812 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe schtasks.exe PID 2744 wrote to memory of 3812 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe schtasks.exe PID 2744 wrote to memory of 3812 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe schtasks.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 2744 wrote to memory of 528 2744 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe PID 528 wrote to memory of 4532 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe cmd.exe PID 528 wrote to memory of 4532 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe cmd.exe PID 528 wrote to memory of 4532 528 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe cmd.exe PID 4532 wrote to memory of 4896 4532 cmd.exe powershell.exe PID 4532 wrote to memory of 4896 4532 cmd.exe powershell.exe PID 4532 wrote to memory of 4896 4532 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe"C:\Users\Admin\AppData\Local\Temp\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ETIskDNQN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC639.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmpC639.tmpFilesize
1KB
MD5f0465186680191289c44d81046dc9bd0
SHA1e5eb8e829da97fefac56fc34095102b98e052b4d
SHA256e5454c057cf0f6fcc6d3e96d37efe5fdc357057b555e8f9414d32eb8c28fe886
SHA5121dd2d7afe9fbbb475036df7ea674493f358bfac1260b38d620be12c259e60878be665a160864bbdb447f543c420fcd84d26651457fbd175e909001cdc9fcc0da
-
memory/528-139-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/528-138-0x0000000000000000-mapping.dmp
-
memory/2744-135-0x0000000000A10000-0x0000000000A76000-memory.dmpFilesize
408KB
-
memory/2744-130-0x0000000000380000-0x000000000045A000-memory.dmpFilesize
872KB
-
memory/2744-134-0x0000000005080000-0x000000000511C000-memory.dmpFilesize
624KB
-
memory/2744-133-0x0000000004E00000-0x0000000004E0A000-memory.dmpFilesize
40KB
-
memory/2744-132-0x0000000004E10000-0x0000000004EA2000-memory.dmpFilesize
584KB
-
memory/2744-131-0x0000000005490000-0x0000000005A34000-memory.dmpFilesize
5.6MB
-
memory/3812-136-0x0000000000000000-mapping.dmp
-
memory/4532-141-0x0000000000000000-mapping.dmp
-
memory/4896-143-0x00000000022C0000-0x00000000022F6000-memory.dmpFilesize
216KB
-
memory/4896-142-0x0000000000000000-mapping.dmp
-
memory/4896-144-0x0000000004DB0000-0x00000000053D8000-memory.dmpFilesize
6.2MB
-
memory/4896-145-0x0000000004D10000-0x0000000004D32000-memory.dmpFilesize
136KB
-
memory/4896-146-0x0000000005490000-0x00000000054F6000-memory.dmpFilesize
408KB
-
memory/4896-147-0x0000000005BE0000-0x0000000005BFE000-memory.dmpFilesize
120KB
-
memory/4896-148-0x0000000007450000-0x0000000007ACA000-memory.dmpFilesize
6.5MB
-
memory/4896-149-0x00000000060D0000-0x00000000060EA000-memory.dmpFilesize
104KB
-
memory/4896-150-0x0000000006E70000-0x0000000006F06000-memory.dmpFilesize
600KB
-
memory/4896-151-0x00000000061A0000-0x00000000061C2000-memory.dmpFilesize
136KB