Analysis
-
max time kernel
195s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment_pdf.exe
Resource
win7-20221111-en
General
-
Target
DHL Shipment_pdf.exe
-
Size
253KB
-
MD5
6c47810c50e5d51c52010f6497b192cc
-
SHA1
46c1da4c046006d84a306b824e2f9f65a034e389
-
SHA256
75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01
-
SHA512
ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf
-
SSDEEP
6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3
Malware Config
Extracted
formbook
olus
lFwthdzYgacRjF3H
V0HcUpvjRfyxLCVc/Qu1
fVMwe8B1QkymDetjpI9uzecX
QgKu/wmjhaT79V7jTK/HjhUCywqs3TQ=
21I9i5OSAoodam1rOQ==
QCVAvA3e02NvjlzP
khZ3sq8WGuiMAg==
K+U9rwDkZhi7
Uii7NZQ3FCKY+7Agf4JuzecX
nWYwbrNxWOGgJCNc/Qu1
yxFqsrsU9YyQnUJ4pMtHWw==
H+pDjL3qLrqbfeQYPlmASHc2eg==
OKO55xmvnyzvSF1uS5I=
VT4daWvLpsxvjlzP
SaUHe81zYnTzcTZc/Qu1
Df2M0dtCH1sGvxA5Jw==
NAsWerPSMayThrruHxHdjjUqeA==
+Nxhp7kZ4v7L+nvFkI0=
KhEcfId5vUQQezJiSbvWaZrdJmg=
9aEE7WN4555vjlzP
1jnED1AZIrxn3OtxyqUh0OzxBzbjVw==
8klU0zNq6hRZIVbI0dAFzaoLeK+fxSk=
bRQwP8OmcELwOoI=
J3rdUq9eM0bqXfo4L5jFjcJtc/2RQA==
oHTCBlrnHsCoqDUtAAAdOJU=
woDWF2AB1DNGNYLtLw==
nRr8ODo3spdaWpo=
WivTJDLkZhi7
qBqF3egFi6ZHpjrMHYvyujUXcg==
LiUEU6zDFLyO6vUxomOKUw==
r3HRM4zUT2QLvxA5Jw==
Pws+jv2wTd6s
o3BUytVXej3CGw==
kQPqNWIS84BHpXj3UhmEKzuYvm4R
xyCmBA12Q7ht6u1blIVDBiyYvm4R
cTUSfXAB5ehpxkh5dNU6Q4hRqq+fxSk=
0qd+t6+RAJNuUaETcP45ujUXcg==
RS6Nxg+woMj2CBqCzmITpJc=
h/zeGi8jm5daWpo=
V6J2yuHmYV+emTBlQZE8BUQecA==
0jRMwcjXV+PHvAMMRCW2
VCiB1y1fr5daWpo=
US+a/EFqxGZMa3S7jo0=
hQVno+o7weSEUFFc/Qu1
cThAqAOQDrNqVlHJ
dgHtQHyfA6ditmCTbgLceYA=
csSnH3KW4XAflJ7Nv51uzecX
rBV+7TV3NBdgOoM=
mVe0/geOfZ/QrBWe93KLie5zsa+fxSk=
q2128Tjlwl4jcjyJadPyfroRjw25RCE=
G+hFtrelA4+hax4cRbADNJU=
KYjxYJ/bV2OMkCxrpMtHWw==
68JMo5EJGuiMAg==
eswpeq3jKsnfpFSHYuF+m/TqBzbjVw==
mOQST2jj+iiV4mLkTQL7uZ0=
AtDo7Pv0U+z0A8dLeYA=
HXiHC04fEKCjtnnqX0q9
j20Llan/+YyojZ7UtwL7uZ0=
XTQPYlzpHBZuX5w=
hXjXJSILeCQBBJMPRoex7CuYvm4R
/OlsmOSrnLwkfzSmFulS39jjBzbjVw==
1SyL2d9GDjCKu6cvMA==
z0nZI2Yzf+yzLyhc9/+t
rB46utLkQ+KqLCVc/Qu1
whatshallilistento.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
vwwufokaj.exevwwufokaj.exepid process 744 vwwufokaj.exe 308 vwwufokaj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vwwufokaj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation vwwufokaj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vwwufokaj.exevwwufokaj.execscript.exedescription pid process target process PID 744 set thread context of 308 744 vwwufokaj.exe vwwufokaj.exe PID 308 set thread context of 2080 308 vwwufokaj.exe Explorer.EXE PID 308 set thread context of 2080 308 vwwufokaj.exe Explorer.EXE PID 3904 set thread context of 2080 3904 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
vwwufokaj.execscript.exepid process 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2080 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
vwwufokaj.exevwwufokaj.execscript.exepid process 744 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 308 vwwufokaj.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe 3904 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vwwufokaj.execscript.exedescription pid process Token: SeDebugPrivilege 308 vwwufokaj.exe Token: SeDebugPrivilege 3904 cscript.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
DHL Shipment_pdf.exevwwufokaj.exeExplorer.EXEvwwufokaj.execscript.exedescription pid process target process PID 1676 wrote to memory of 744 1676 DHL Shipment_pdf.exe vwwufokaj.exe PID 1676 wrote to memory of 744 1676 DHL Shipment_pdf.exe vwwufokaj.exe PID 1676 wrote to memory of 744 1676 DHL Shipment_pdf.exe vwwufokaj.exe PID 744 wrote to memory of 308 744 vwwufokaj.exe vwwufokaj.exe PID 744 wrote to memory of 308 744 vwwufokaj.exe vwwufokaj.exe PID 744 wrote to memory of 308 744 vwwufokaj.exe vwwufokaj.exe PID 744 wrote to memory of 308 744 vwwufokaj.exe vwwufokaj.exe PID 2080 wrote to memory of 3692 2080 Explorer.EXE msdt.exe PID 2080 wrote to memory of 3692 2080 Explorer.EXE msdt.exe PID 2080 wrote to memory of 3692 2080 Explorer.EXE msdt.exe PID 2080 wrote to memory of 3480 2080 Explorer.EXE netsh.exe PID 2080 wrote to memory of 3480 2080 Explorer.EXE netsh.exe PID 2080 wrote to memory of 3480 2080 Explorer.EXE netsh.exe PID 308 wrote to memory of 3904 308 vwwufokaj.exe cscript.exe PID 308 wrote to memory of 3904 308 vwwufokaj.exe cscript.exe PID 308 wrote to memory of 3904 308 vwwufokaj.exe cscript.exe PID 3904 wrote to memory of 816 3904 cscript.exe Firefox.exe PID 3904 wrote to memory of 816 3904 cscript.exe Firefox.exe PID 3904 wrote to memory of 816 3904 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipment_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment_pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe"C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe" C:\Users\Admin\AppData\Local\Temp\pwpwushk.h3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe"C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe" C:\Users\Admin\AppData\Local\Temp\pwpwushk.h4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"5⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"6⤵PID:816
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵PID:3480
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵PID:3692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pwpwushk.hFilesize
5KB
MD52be139593e0b3fadf40d783a5a82e4fe
SHA178f5fe723b55100566cf7c13870262df7074a137
SHA25614f4254ad6ded053edb5cf633ac3d9ae6cba67eac00cb007b0bb84cdb50333f5
SHA5126938c2db0dc7e2041cc4e45b2b5a521ff9a2181f9934d9ae3984b8fdb688cef4b7b5a45a4f53f6f62383cf94657cdd260c71b82b58dd4a06f7203b2417c3df69
-
C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exeFilesize
46KB
MD527541d5316db05b650ab973fd2aec842
SHA1ec706f8d9bced58fff747022891c64b6a2148d2f
SHA256720ea640a85baea2835b01c5a6819dd7a129f97e5d4049b63f07b4e007eb8298
SHA512ad0e19c92fd8f8e4025ae82a2b3caf89501f2a8e3073c910bf100a8a3c06fb1f62ea955e92dab23350ab7f92420c704740c2baba8782a923b7025f93b06dab73
-
C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exeFilesize
46KB
MD527541d5316db05b650ab973fd2aec842
SHA1ec706f8d9bced58fff747022891c64b6a2148d2f
SHA256720ea640a85baea2835b01c5a6819dd7a129f97e5d4049b63f07b4e007eb8298
SHA512ad0e19c92fd8f8e4025ae82a2b3caf89501f2a8e3073c910bf100a8a3c06fb1f62ea955e92dab23350ab7f92420c704740c2baba8782a923b7025f93b06dab73
-
C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exeFilesize
46KB
MD527541d5316db05b650ab973fd2aec842
SHA1ec706f8d9bced58fff747022891c64b6a2148d2f
SHA256720ea640a85baea2835b01c5a6819dd7a129f97e5d4049b63f07b4e007eb8298
SHA512ad0e19c92fd8f8e4025ae82a2b3caf89501f2a8e3073c910bf100a8a3c06fb1f62ea955e92dab23350ab7f92420c704740c2baba8782a923b7025f93b06dab73
-
C:\Users\Admin\AppData\Local\Temp\xkypvuq.ifmFilesize
185KB
MD5f3a22ba1cff1d318f4c25580b7976980
SHA1e7a12c3c666f36ee7b3417ca4800b8a5463e39a7
SHA25658eb30235dea07294d733f1da23c47726bf0195cea4cd271096205bbb348715f
SHA512efd1e1ff8269bdf0fddd020a536e9f26d58d331348b3b9763803069f3213aa5b6f913697735dc3cc0ffad49f666eaf3b2a261e0e874d19805ffb3483a32cb68f
-
memory/308-142-0x0000000000AA0000-0x0000000000AB0000-memory.dmpFilesize
64KB
-
memory/308-144-0x00000000026B0000-0x00000000026C0000-memory.dmpFilesize
64KB
-
memory/308-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/308-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/308-141-0x0000000000B00000-0x0000000000E4A000-memory.dmpFilesize
3.3MB
-
memory/308-137-0x0000000000000000-mapping.dmp
-
memory/308-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/744-132-0x0000000000000000-mapping.dmp
-
memory/2080-145-0x0000000008860000-0x0000000008920000-memory.dmpFilesize
768KB
-
memory/2080-143-0x0000000008780000-0x0000000008859000-memory.dmpFilesize
868KB
-
memory/2080-153-0x00000000030A0000-0x000000000317D000-memory.dmpFilesize
884KB
-
memory/2080-154-0x00000000030A0000-0x000000000317D000-memory.dmpFilesize
884KB
-
memory/3904-147-0x0000000000000000-mapping.dmp
-
memory/3904-149-0x0000000000410000-0x000000000043D000-memory.dmpFilesize
180KB
-
memory/3904-148-0x0000000000460000-0x0000000000487000-memory.dmpFilesize
156KB
-
memory/3904-150-0x00000000026C0000-0x0000000002A0A000-memory.dmpFilesize
3.3MB
-
memory/3904-151-0x0000000000410000-0x000000000043D000-memory.dmpFilesize
180KB
-
memory/3904-152-0x0000000002510000-0x000000000259F000-memory.dmpFilesize
572KB