Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL Express Duty Charge, AWB & BL.exe
Resource
win7-20220901-en
General
-
Target
DHL Express Duty Charge, AWB & BL.exe
-
Size
580KB
-
MD5
53f6cb13cf941ca18bc398d32f845579
-
SHA1
a09d0166e26b59e01d8f9314c98534adcb6de340
-
SHA256
12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013
-
SHA512
c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494
-
SSDEEP
12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB
Malware Config
Extracted
formbook
h8t0
pX0T7fJ5SmBsroaYtF/qyNlKtSA=
S2NpcYsZ0sMKKsWw
InTDrCxX1GVhp7fzmK8=
mH5Ax6r2GyAh
GYKFkKD2GyAh
TyWptjZgzlzNV0Y2PtM85dlKtSA=
D/V0extZ3I/PVr6mCqGNazBB
xik8B2uLuILxdg==
oohXUF/7tHGxQs42SvIo+64=
7W/2B7CoqOEfY3WqCw==
SKW3c0DvmA991EE=
dx1jYxAG+T9YaOxctM5OqQ==
uBwqzYUt3KHNKEI1Oq/2tV4UUQ==
HkhDv2iluILxdg==
O8ca/3Z0p/xD0dc9jwgr2g6oorw/DA==
CdVTZwxFv2LSRyckeO1Uvg==
UaO+if0kiQ0HHe29lwaEIv+morw/DA==
wB5RfRm6wFunIVY=
UvpBQ+Ucf97/PRGJm4v8
s86lipNDSIu9D/IqkUIhHGUMTA==
MsRSZ8glT5UKKsWw
h+TjzsBQNWee7mmJm4v8
JjNB9VJy8avXKy9m9K6NiDZW
1ThP7JAh7wBq7W3VvtlLGNL9Fv48AM+M
0aVuX1cDu/xf61uJm4v8
59GTc3bxjw991EE=
W7WtpGP2GyAh
GYB02C9luILxdg==
q40QFKzH8T1/w+nP6pMVtg==
Z7nJeUbOQf9BkvBZPF2NiDZW
44cU1d8CXg991EE=
JAfUubVdNhJAjKHgeO1Uvg==
xUfPxDpbyFResMP3wXIKsQ==
4JULrng5OYFbY3WqCw==
KMER7l9088Ugtkq6oMFOJ6keJowM
iONATQAEF46CrtiSnbc=
vFvxA5jDJbUnY3WqCw==
q38T4TU9Q5IKKsWw
fhWcnTxemRoeRqjqvxoa9q4=
JQOBewE1tTozcr0eJp0n5tlKtSA=
3UVIQET29fnwYEAkeO1Uvg==
9seJT6Kuq/IdWyuHKtDnJ9lKtSA=
pghXMgi5b0eRHoq7udwIhgnrSR8J
wSifzGL2GyAh
lSOrnMgrnSOIyPbtyTSemhW/PQlzQz4SQw==
vyUjBfOerfsvdkub/pgyAUZldz4+iJ0=
R62vVKK/P8mzvp/JW8//6Kg=
YkQfLFf5tIrGUulRNVGpMNlKtSA=
Mzc6PVj8w5reeNiSnbc=
r7WMaU0DPLW3yprIKM1A3VzzNQoD
NZCnac7wYhJEnq6TpVzolYY7HXA8AM+M
W8HXkFLpqLIijuVML5GjfuuUUSY=
ZDrJfbiM/nzocA==
0zU4R1/plYvyftiSnbc=
94UYxZIyJyMSKniJm4v8
gU0iIzrckQ991EE=
QQng4fB6LyuRB2RKtXKUUwzzNQoD
+pAWCZSf8LT6fNiSnbc=
s0eZgvUFfQ/085X01r8=
Duapf9rg2fjtMce5XL0PinUiUw==
htza8RasicBGlXOjAw==
yjNpAg+kzdzxbg==
imDm9Z+97WTWNPtKn0jlwv42orw/DA==
2rB3JWz2xsgKKsWw
shura-asia.org
Signatures
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe DHL Express Duty Charge, AWB & BL.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe DHL Express Duty Charge, AWB & BL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL Express Duty Charge, AWB & BL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation DHL Express Duty Charge, AWB & BL.exe -
Loads dropped DLL 1 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exepid process 3076 DHL Express Duty Charge, AWB & BL.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exepid process 4868 DHL Express Duty Charge, AWB & BL.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exepid process 3076 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exemstsc.exedescription pid process target process PID 3076 set thread context of 4868 3076 DHL Express Duty Charge, AWB & BL.exe DHL Express Duty Charge, AWB & BL.exe PID 4868 set thread context of 3080 4868 DHL Express Duty Charge, AWB & BL.exe Explorer.EXE PID 4508 set thread context of 3080 4508 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exemstsc.exepid process 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe 4508 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exeDHL Express Duty Charge, AWB & BL.exemstsc.exepid process 3076 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4868 DHL Express Duty Charge, AWB & BL.exe 4508 mstsc.exe 4508 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exemstsc.exedescription pid process Token: SeDebugPrivilege 4868 DHL Express Duty Charge, AWB & BL.exe Token: SeDebugPrivilege 4508 mstsc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
DHL Express Duty Charge, AWB & BL.exeExplorer.EXEdescription pid process target process PID 3076 wrote to memory of 4868 3076 DHL Express Duty Charge, AWB & BL.exe DHL Express Duty Charge, AWB & BL.exe PID 3076 wrote to memory of 4868 3076 DHL Express Duty Charge, AWB & BL.exe DHL Express Duty Charge, AWB & BL.exe PID 3076 wrote to memory of 4868 3076 DHL Express Duty Charge, AWB & BL.exe DHL Express Duty Charge, AWB & BL.exe PID 3076 wrote to memory of 4868 3076 DHL Express Duty Charge, AWB & BL.exe DHL Express Duty Charge, AWB & BL.exe PID 3080 wrote to memory of 4508 3080 Explorer.EXE mstsc.exe PID 3080 wrote to memory of 4508 3080 Explorer.EXE mstsc.exe PID 3080 wrote to memory of 4508 3080 Explorer.EXE mstsc.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"C:\Users\Admin\AppData\Local\Temp\DHL Express Duty Charge, AWB & BL.exe"3⤵
- Checks QEMU agent file
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8