Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL SHIPMENT.exe
Resource
win7-20220812-en
General
-
Target
DHL SHIPMENT.exe
-
Size
274KB
-
MD5
904526ba0b032ab844c0b258a9b038a1
-
SHA1
2c5ae47c87cf9111300fc0063f8054a5e33e8cab
-
SHA256
ba51afdb597f570e1914c3253b219b6397f9df8f6448a33991dafe561706f2db
-
SHA512
ec393d0efe237a274570dd986d162748fd8d6dc5183a2745a6dd8870b21f000fa495742937e19f05ea6220c27adaa21f7a1ecafa7bd20f070a54334d8cb14520
-
SSDEEP
6144:nKsjATsXadzG3nGFqPwlwV/ERgSi1AbQ6Qi33IBzz6jG:KsjATsXaw3WywO2gSgANQioBzz6K
Malware Config
Extracted
formbook
fqsu
GhfTqaOqC4FsyoQRW/8=
kbPIpd/8k1C6zJz5mYYdK90ZUA==
VIdg/CoNGeYJHA==
KhzoqndOhw1j43z0ew==
wv8mTDcsX2wJN/Q=
MqBgt6S+3BgGKBQHLZy7Ucg=
GyhOb++nZDi39NPK7dbaKapf
pBtD1UoSTdo3eSp9H7OhRqMV0TAuKMU=
WTzTg1w+fP4fMO0oPPM=
NS/tpGdUwkiMwqmgkxoSzjrQATAuKMU=
MnoSdM1hYn4tdwxjB2fX
3EUfH2EJY17mMf4=
V9/wg2yCQruVszm7V+4=
aNL8pZCGYW4Ej2LD
1Bif9VkmdgVfrJqRvl1GtlTZq1M=
9wHIgmB8EOB2uUVcUfk=
1Fdn15qem+fL1qhrY9xdQmAnVg==
Y32ThttYUUr6PsuRmozlNP74RD+uBz7dOQ==
f5HKyoWNAJLM2qjnZlizsvXDKFs=
mRfaGezap6ZyvJqthZvf
XE1gb9BDOSjo
a9OJ2b2kjstszoza
9btSLokhpHEBONENG+A=
1oAKNwX+AlQ4RiqbCKr3/A==
CXyeL6Bef+sHEOohAWbW
LIB9lHUdfinrMPw=
X7dIczoX7/WDk2a0P4P42iAqXA==
1AosTUdOqyZn43z0ew==
w4kh92EUqSnrMPw=
X9mR59TIpqmQ3MRW3dHaKapf
KW8vtcGOicqbG6P1y0bE5w==
vkxt6aqmRoxJWDaaKoHs+c7R2RWuug==
djf3H/3eGlnoHf4=
QcvffHSEZVsaWTg6K5y7Ucg=
/kfWf0w9mxRGn1uybA==
b8lWfUMY2+E9opoOvdTaKapf
4ifWgGxC54S499ZNmE/F5Q==
7AP9JgUOCEUfL/5LmE/F5Q==
42soE+T1jmG3vkVcUfk=
2AssSCkCPo5ji3athZvf
sNMB+T7ij5hvrZLJiX7V
HR01IYJZMBiUzai563i+Z9E=
4Fd9D4pjthkFCt5RmE/F5Q==
6yu5FXMXHiy7zqGthZvf
cO+UduB23nibvKmTiwbzQmAnVg==
vXETR/2rOfRETvrbmE/F5Q==
ic+XHc6whH7sfccPmE/F5Q==
DSc+LHk1A/5szoza
JTFNQgUfvHjj4Kb8os3aKapf
YxDG7ce0Ers3TB1s39HaKapf
j+eurPutWiCeDmathZvf
XQcvovGUtwkHTB519CFlQmAnVg==
1HmuRaRp15cZQQbZ7hFlQmAnVg==
tPmYAWoWGUY6SPhMmE/F5Q==
EFryTMuzz5HJ9OU=
G135x5VKYpuQ43z0ew==
CTnVhWd74nOZ43z0ew==
sJ+03smn9npsyoQRW/8=
JJRan1oWtqJ2vJiNVpWT9KBZ
Qj9Pa11v7KkTUSfp46OeQcZK/W0PZLdr
FjVWTQ8bqinrMPw=
rdVfEergTeAkTAXemE/F5Q==
55jA4cQafSnrMPw=
kIcp2ZZgh9jlEgn7D6KNKHID70AOvlxj
mtvglobalmusic.com
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
chkdsk.exepid process 1192 chkdsk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL SHIPMENT.execvtres.exechkdsk.exedescription pid process target process PID 1604 set thread context of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1600 set thread context of 1212 1600 cvtres.exe Explorer.EXE PID 1192 set thread context of 1212 1192 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
cvtres.exechkdsk.exepid process 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
cvtres.exechkdsk.exepid process 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe 1192 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cvtres.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1600 cvtres.exe Token: SeDebugPrivilege 1192 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DHL SHIPMENT.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1604 wrote to memory of 1600 1604 DHL SHIPMENT.exe cvtres.exe PID 1212 wrote to memory of 1192 1212 Explorer.EXE chkdsk.exe PID 1212 wrote to memory of 1192 1212 Explorer.EXE chkdsk.exe PID 1212 wrote to memory of 1192 1212 Explorer.EXE chkdsk.exe PID 1212 wrote to memory of 1192 1212 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 588 1192 chkdsk.exe Firefox.exe PID 1192 wrote to memory of 588 1192 chkdsk.exe Firefox.exe PID 1192 wrote to memory of 588 1192 chkdsk.exe Firefox.exe PID 1192 wrote to memory of 588 1192 chkdsk.exe Firefox.exe PID 1192 wrote to memory of 588 1192 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT.exe"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
832KB
MD507fb6d31f37fb1b4164bef301306c288
SHA14cb41af6d63a07324ef6b18b1a1f43ce94e25626
SHA25606ddf0a370af00d994824605a8e1307ba138f89b2d864539f0d19e8804edac02
SHA512cab4a7c5805b80851aba5f2c9b001fabc1416f6648d891f49eacc81fe79287c5baa01306a42298da722750b812a4ea85388ffae9200dcf656dd1d5b5b9323353
-
memory/1192-78-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1192-75-0x00000000009E0000-0x0000000000A6F000-memory.dmpFilesize
572KB
-
memory/1192-74-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/1192-73-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1192-72-0x0000000000D10000-0x0000000000D17000-memory.dmpFilesize
28KB
-
memory/1192-69-0x0000000000000000-mapping.dmp
-
memory/1212-68-0x0000000004B80000-0x0000000004CB6000-memory.dmpFilesize
1.2MB
-
memory/1212-77-0x0000000004CC0000-0x0000000004DE6000-memory.dmpFilesize
1.1MB
-
memory/1212-76-0x0000000004CC0000-0x0000000004DE6000-memory.dmpFilesize
1.1MB
-
memory/1600-61-0x00000000004012B0-mapping.dmp
-
memory/1600-67-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1600-66-0x0000000000AE0000-0x0000000000DE3000-memory.dmpFilesize
3.0MB
-
memory/1600-70-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-71-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1600-64-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1600-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-58-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1604-54-0x0000000000F90000-0x0000000000FD8000-memory.dmpFilesize
288KB
-
memory/1604-56-0x00000000008B0000-0x00000000008B8000-memory.dmpFilesize
32KB
-
memory/1604-55-0x0000000000350000-0x000000000035C000-memory.dmpFilesize
48KB