Analysis
-
max time kernel
68s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 11:20
Static task
static1
Behavioral task
behavioral1
Sample
DHL Express Receipt.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DHL Express Receipt.exe
Resource
win10v2004-20220812-en
General
-
Target
DHL Express Receipt.exe
-
Size
1023KB
-
MD5
61cf71fdffa43e513ee0b7fc22858d3d
-
SHA1
12fe31f4a16c7d30a3e7de8659a0571e8929b1eb
-
SHA256
9965fd6b29b9aecaae9ec00b30cd41de793f3ff2d5a5edfcf1c967f3bbcf94bb
-
SHA512
5ca9b3e71f9ee9757a7ee8fd0ce18e00eec90d90adda598f75f44d91bc0f2c1d31a5b573f53bbb95c45f4e84644686fcd60f594ee6fab359dccd8d64139c3c63
-
SSDEEP
12288:OfUr/H/dPB7aR3jcN5HpXhmSUKRqQPjqmEA+B6Ihk6QxSVjxrL67cK4HTN:1f/dPAUbkYq088NDIFrLm
Malware Config
Extracted
lokibot
http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Express Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Express Receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Express Receipt.exedescription pid process target process PID 912 set thread context of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DHL Express Receipt.exepid process 912 DHL Express Receipt.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
DHL Express Receipt.exepid process 1528 DHL Express Receipt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Express Receipt.exeDHL Express Receipt.exedescription pid process Token: SeDebugPrivilege 912 DHL Express Receipt.exe Token: SeDebugPrivilege 1528 DHL Express Receipt.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DHL Express Receipt.exepid process 912 DHL Express Receipt.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
DHL Express Receipt.exepid process 912 DHL Express Receipt.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DHL Express Receipt.exedescription pid process target process PID 912 wrote to memory of 1748 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1748 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1748 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1748 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe PID 912 wrote to memory of 1528 912 DHL Express Receipt.exe DHL Express Receipt.exe -
outlook_office_path 1 IoCs
Processes:
DHL Express Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL Express Receipt.exe -
outlook_win_path 1 IoCs
Processes:
DHL Express Receipt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL Express Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-54-0x0000000000030000-0x0000000000136000-memory.dmpFilesize
1.0MB
-
memory/912-55-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/912-56-0x0000000000550000-0x000000000056C000-memory.dmpFilesize
112KB
-
memory/912-57-0x0000000004D25000-0x0000000004D36000-memory.dmpFilesize
68KB
-
memory/912-58-0x0000000000970000-0x000000000097C000-memory.dmpFilesize
48KB
-
memory/912-59-0x0000000007E00000-0x0000000007EB2000-memory.dmpFilesize
712KB
-
memory/912-60-0x0000000005E50000-0x0000000005EAC000-memory.dmpFilesize
368KB
-
memory/912-74-0x0000000004D25000-0x0000000004D36000-memory.dmpFilesize
68KB
-
memory/1528-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-70-0x00000000004139DE-mapping.dmp
-
memory/1528-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-75-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1528-77-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB