Analysis
-
max time kernel
105s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 08:02
Static task
static1
Behavioral task
behavioral1
Sample
DHL Receipt.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DHL Receipt.exe
Resource
win10v2004-20220812-en
General
-
Target
DHL Receipt.exe
-
Size
876KB
-
MD5
eddb9b6760b873f3d34d521e477ce025
-
SHA1
0f948f0de6a327f094bfe78cffa67553761dbeea
-
SHA256
c201333fad1225eac836fad58bc37e183f272e0cf4a62d5754868097560dbc47
-
SHA512
f5af5466ee50cc51e93cc80d895800a1d162c9321a9e146769a962551bdde6aa4636f6a869b3ff14114ccd73b2630e079f320a34827e618092638b88b67e3f3d
-
SSDEEP
12288:AohEdeK4HTNvS+vy8kPjPw9oBTI4n5pFuy1:LhcbPwGTvnT
Malware Config
Extracted
lokibot
http://162.0.223.13/?zfkdYtHLPzjU8NYmyvhLkN8G1QZuI5Khl4vjyc5nMohVcgiLLAw5oEMpvMUd
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Receipt.exedescription pid process target process PID 1344 set thread context of 3168 1344 DHL Receipt.exe DHL Receipt.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
DHL Receipt.exepid process 3168 DHL Receipt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL Receipt.exedescription pid process Token: SeDebugPrivilege 3168 DHL Receipt.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL Receipt.exedescription pid process target process PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe PID 1344 wrote to memory of 3168 1344 DHL Receipt.exe DHL Receipt.exe -
outlook_office_path 1 IoCs
Processes:
DHL Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Receipt.exe -
outlook_win_path 1 IoCs
Processes:
DHL Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Receipt.exe"C:\Users\Admin\AppData\Local\Temp\DHL Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Receipt.exe"C:\Users\Admin\AppData\Local\Temp\DHL Receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1344-132-0x0000000000D70000-0x0000000000E4E000-memory.dmpFilesize
888KB
-
memory/1344-133-0x0000000005E70000-0x0000000006414000-memory.dmpFilesize
5.6MB
-
memory/1344-134-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/1344-135-0x00000000057C0000-0x00000000057CA000-memory.dmpFilesize
40KB
-
memory/1344-136-0x0000000008C00000-0x0000000008C9C000-memory.dmpFilesize
624KB
-
memory/1344-137-0x0000000008CA0000-0x0000000008D06000-memory.dmpFilesize
408KB
-
memory/3168-138-0x0000000000000000-mapping.dmp
-
memory/3168-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3168-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3168-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3168-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3168-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB