Overview

overview

10

Static

static

DHL Shipme...DF.exe

windows7_x64

10

DHL Shipme...DF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Shipment Notification,PDF.exe

  • Size

    978KB

  • MD5

    9800e94ddea9137c64f0125f8ed1697b

  • SHA1

    a482e5e542c30a7d64bf6173fef0ffac506b2839

  • SHA256

    192fd3e7ebbf5b338a50b735cd8eae792246e618e3434c1eb0c69f7ef0eb7e05

  • SHA512

    e03f859652d858c2d087d79d71e620e99b606a861dc2757a13261df6e77bb69910b576cd9e2af77a946cd070b4851f94d71c4d7c2e56556ddb3b372be7f3d69a

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:612
    • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
      • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2280
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4992
        • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3420
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3972
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1156
          • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3376
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              6⤵
                PID:4248
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4712
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
                  7⤵
                    PID:1552
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                      8⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1864
                • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe
                  "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification,PDF.exe"
                  6⤵
                    PID:1360

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
          Filesize

          994B

          MD5

          334ac3d2e55f80a9b69e02d1dbc44947

          SHA1

          dea2b26b13eca80ad781cfeeaf7082e0d0dc4f2e

          SHA256

          cfc8439b36fdd0455772cdb646d04b93858f9bc44fc94473bf73b253c2e4f25d

          SHA512

          83b5111afd7b24bf4bc193b01587ce590655d25ae9d0f333f6dbd1ddd2d93c2b22b48f5a52aa3c7d7d5833d774fcc729a7f6f9d1faf7277d1fc8deec16efd649

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          25604a2821749d30ca35877a7669dff9

          SHA1

          49c624275363c7b6768452db6868f8100aa967be

          SHA256

          7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

          SHA512

          206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          4aedd2fc71a3721e43a432e3e771bfc7

          SHA1

          3992b43ce22027509c5fd7124f94012c317ecb23

          SHA256

          57e8f68a3b4072f83b7a8b54e7f92b2698139170892d1ebdb3d73181a5f88f38

          SHA512

          7ce1ff094ec267980ec415514ca0e3ed9c141cbc402076bf64bad2ac563cb3e422b3e13e36f12e81a40f853762c12174f0e6383708245536d7a796eb173824a8

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          59d820cbecec66d3971ed76c19228067

          SHA1

          4ebee14dd97d26903d1fc0bacf7b2a1d0cf5a987

          SHA256

          ec0bc53375a8396f2e8bdc515f7863dba0780ce04722fef82d3061bfc863c174

          SHA512

          0c858257dbc17048a035f11522b26835b2cb962d7ad3279044e38c4bbc7c7c0a208c52863669ed309e224cd02de05e104669d1380b8f8208c4209b4eaec872eb

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          b08c4692f7c96cffd14fe7be30c5ad51

          SHA1

          76b1f51bf4eeb66bca29d8f12405f443e07b4ccb

          SHA256

          d32de39b6f846c3e73b443340df92742c5dd08ff8505f3a2ced61e9177ef0d0b

          SHA512

          aaccfe14e68bf21ecad66a809f4f12343a6cebb99cf76d98a8500f00da7e3f98d52e1679508c25dacb8f6a4505d0d48c2f9641b5530104219e2342ca5bad177c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          43675fe075ccd3cad96d3d3a6b0b530f

          SHA1

          cc83243830889f8208c00d080d52847c9d466f64

          SHA256

          215e18436a306bcab28548d03a25463c95fa9c941f25ba80b47bd36568a79292

          SHA512

          f088a7d4277c6740f54dad79eae736b5534acd76ccf7f495b3b5da19df5d350d34cb1e1a028c62a2c713cb6867be560c68de670fd5df81dfd7f447ee1fc44121

          Download Submit
        • memory/612-147-0x0000000006A60000-0x0000000006A7A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/612-146-0x0000000007D80000-0x00000000083FA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/612-148-0x00000000077A0000-0x0000000007836000-memory.dmp
          Filesize

          600KB

          Download
        • memory/612-143-0x0000000005580000-0x00000000055A2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/612-149-0x0000000007700000-0x0000000007722000-memory.dmp
          Filesize

          136KB

          Download
        • memory/612-141-0x0000000002C20000-0x0000000002C56000-memory.dmp
          Filesize

          216KB

          Download
        • memory/612-142-0x00000000056D0000-0x0000000005CF8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/612-140-0x0000000000000000-mapping.dmp
          Download
        • memory/612-144-0x0000000005E70000-0x0000000005ED6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/612-145-0x0000000006550000-0x000000000656E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1156-165-0x0000000000000000-mapping.dmp
          Download
        • memory/1328-154-0x0000000000000000-mapping.dmp
          Download
        • memory/1360-168-0x0000000000000000-mapping.dmp
          Download
        • memory/1552-169-0x0000000000000000-mapping.dmp
          Download
        • memory/1844-139-0x0000000000000000-mapping.dmp
          Download
        • memory/1864-170-0x0000000000000000-mapping.dmp
          Download
        • memory/2224-158-0x0000000000000000-mapping.dmp
          Download
        • memory/2280-159-0x0000000000000000-mapping.dmp
          Download
        • memory/2492-153-0x0000000000000000-mapping.dmp
          Download
        • memory/3044-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3376-163-0x0000000000000000-mapping.dmp
          Download
        • memory/3420-162-0x0000000000000000-mapping.dmp
          Download
        • memory/3972-164-0x0000000000000000-mapping.dmp
          Download
        • memory/4104-135-0x0000000002770000-0x0000000002773000-memory.dmp
          Filesize

          12KB

          Download
        • memory/4104-130-0x0000000000270000-0x000000000036A000-memory.dmp
          Filesize

          1000KB

          Download
        • memory/4340-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4532-152-0x0000000000000000-mapping.dmp
          Download
        • memory/4640-157-0x0000000000000000-mapping.dmp
          Download
        • memory/4712-167-0x0000000000000000-mapping.dmp
          Download
        • memory/4844-138-0x0000000005750000-0x00000000057E2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4844-137-0x0000000005440000-0x00000000054A6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4844-134-0x0000000005250000-0x00000000052EC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/4844-133-0x0000000005900000-0x0000000005EA4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4844-132-0x0000000000400000-0x00000000004B8000-memory.dmp
          Filesize

          736KB

          Download
        • memory/4844-131-0x0000000000000000-mapping.dmp
          Download
        • memory/4992-160-0x0000000000000000-mapping.dmp
          Download