Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 17:22
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE#-002834.exe
Resource
win7-20220901-en
General
-
Target
DHL INVOICE#-002834.exe
-
Size
306KB
-
MD5
9564349d362fe854594e13217800ea9f
-
SHA1
5067b33410d6a859f96e07d7fa006446b5e3abdb
-
SHA256
4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1
-
SHA512
d919fbc75fd973ddd8e425b728d3ab7c251b5671493517d4eb8e825f6b26a4b5f36d70468b171a336bafcc6c8eaf9deea3c31af7ba26b9ba1aee9649b0b5a1ca
-
SSDEEP
6144:NBn0JAr0W067hhLsgQfQIRHWGdEzFgu+sdIEOZz9Kgzl:EerA67sF9Hj2RzEkql
Malware Config
Extracted
formbook
codp
WLwbp9IgDF0DRbuq
oNQ7DHBzVHVMTxxxFCORk65Z5w==
eKyDm2P0S8i8tXrGSRxyN/GB+g==
DWLDupksnDvfKi7Q7PI=
JAaYbOFx1G0f4pcM36gDB3YaG796
KWQ71Z4U7+2Nv8K72OXED5M9oe8=
YJpvEHW5TU/wL02R9TiN0A==
tpQX78fPprFMi7ocSgXfUNYKpTq33Icp
a9Z0eju3FKFA/YBy+MQfG3QaG796
uQzt58fSssDUenxacQCY2g==
vijGzYPYOfi2gxZLhlbA
kZfzlQg7IGPxc29BJA==
dcQu+blQlxGyZu7qw5P4L6s=
TTIXAcXMr85yqqvxWBMqdrw=
xZb/tyGC8sOjIS7Q7PI=
KnzenvO+cXkVS3biKfRDwJ9Q5Q==
ZqZvDt9+yYxqh1Si
vZD8CtVZigY/cqnmLA==
QJy2dd/p0MO1Ji7Q7PI=
l+Hmoea3jsiAcqnmLA==
j19MVSQr/CceRbwAwBMqdrw=
vS+9sWn2gDVJYeHZaHTPCN9ywAEKVg==
blpyOo9dQZt5ZxddwQVmww==
IOs9KPQyS0gISA==
nn/ZeuJwB9m55jogOw==
M49wUTbsPAwOcqnmLA==
WqL2DMvly8XMWUkzLPvkgjf1aM5QNRk=
fd7UqRCiNTCiTs+3
vY9pE5GVeJJKMpNw0Imsk65Z5w==
PoplGWGv//+qJC7Q7PI=
d8msQUS/1UNH
g3JQ+nF3X3cfRU7V4us=
CEaYiEEOXyvzU07V4us=
lWFpIAPKKBaU90M=
TzIO/uHUaDELiHVWcQCY2g==
C23Tr3r7VMWspGfecQCY2g==
nqSKdTr0YhS+hBlLhlbA
tqY5MRsZX3MVS0YS8eY=
9MouOBNcWth14KOG9e1CFHYaG796
pKi80FPSajXvnxxLhlbA
RBb0/dHxCF8DRbuq
H2JA8ah0Bg4ScqnmLA==
Ui6WUnCpdrSBlN+xk1450g==
dXUNxi54AIl/E/W/tLmhAJM9oe8=
g8SPLINNHWVYb9gTSBMqdrw=
ld0F/BjbTxaU90M=
jmTquCeAzJmZHGHL7sydCpM9oe8=
K25MOh0tGDTYolGNUQ1yxw==
B1Ozd8XF67PJZGdHJA==
Py0TshQX8wvo4n5WcQCY2g==
G378nwBW6hJ73dDIcfo=
lebDk/+/1UNH
sO5QF9cf+lLssy7Q7PI=
mu50P/Y9kRfOLS7Q7PI=
Akgd/+60CxK1KVo=
wxp6MYyFq4coVQ==
XinIiM8UXijMrUh19sfnOvav
N7THlsfP5amkUA==
DoafUba91Bo1xbahrLegAJM9oe8=
owwVtzbvRgDKNXLAzqwrDNGFpTe33Icp
kQMRCcXUvNWa4OrZxJFt9JM9oe8=
ViF1HZskhw7WOrenND/Q2ZVRhy+33Icp
3rGLk2t/q4coVQ==
L2/L3M8P5DMaGpN/6LvKmJM9oe8=
gameikanjoker123.com
Extracted
xloader
3.Æ…
codp
WLwbp9IgDF0DRbuq
oNQ7DHBzVHVMTxxxFCORk65Z5w==
eKyDm2P0S8i8tXrGSRxyN/GB+g==
DWLDupksnDvfKi7Q7PI=
JAaYbOFx1G0f4pcM36gDB3YaG796
KWQ71Z4U7+2Nv8K72OXED5M9oe8=
YJpvEHW5TU/wL02R9TiN0A==
tpQX78fPprFMi7ocSgXfUNYKpTq33Icp
a9Z0eju3FKFA/YBy+MQfG3QaG796
uQzt58fSssDUenxacQCY2g==
vijGzYPYOfi2gxZLhlbA
kZfzlQg7IGPxc29BJA==
dcQu+blQlxGyZu7qw5P4L6s=
TTIXAcXMr85yqqvxWBMqdrw=
xZb/tyGC8sOjIS7Q7PI=
KnzenvO+cXkVS3biKfRDwJ9Q5Q==
ZqZvDt9+yYxqh1Si
vZD8CtVZigY/cqnmLA==
QJy2dd/p0MO1Ji7Q7PI=
l+Hmoea3jsiAcqnmLA==
j19MVSQr/CceRbwAwBMqdrw=
vS+9sWn2gDVJYeHZaHTPCN9ywAEKVg==
blpyOo9dQZt5ZxddwQVmww==
IOs9KPQyS0gISA==
nn/ZeuJwB9m55jogOw==
M49wUTbsPAwOcqnmLA==
WqL2DMvly8XMWUkzLPvkgjf1aM5QNRk=
fd7UqRCiNTCiTs+3
vY9pE5GVeJJKMpNw0Imsk65Z5w==
PoplGWGv//+qJC7Q7PI=
d8msQUS/1UNH
g3JQ+nF3X3cfRU7V4us=
CEaYiEEOXyvzU07V4us=
lWFpIAPKKBaU90M=
TzIO/uHUaDELiHVWcQCY2g==
C23Tr3r7VMWspGfecQCY2g==
nqSKdTr0YhS+hBlLhlbA
tqY5MRsZX3MVS0YS8eY=
9MouOBNcWth14KOG9e1CFHYaG796
pKi80FPSajXvnxxLhlbA
RBb0/dHxCF8DRbuq
H2JA8ah0Bg4ScqnmLA==
Ui6WUnCpdrSBlN+xk1450g==
dXUNxi54AIl/E/W/tLmhAJM9oe8=
g8SPLINNHWVYb9gTSBMqdrw=
ld0F/BjbTxaU90M=
jmTquCeAzJmZHGHL7sydCpM9oe8=
K25MOh0tGDTYolGNUQ1yxw==
B1Ozd8XF67PJZGdHJA==
Py0TshQX8wvo4n5WcQCY2g==
G378nwBW6hJ73dDIcfo=
lebDk/+/1UNH
sO5QF9cf+lLssy7Q7PI=
mu50P/Y9kRfOLS7Q7PI=
Akgd/+60CxK1KVo=
wxp6MYyFq4coVQ==
XinIiM8UXijMrUh19sfnOvav
N7THlsfP5amkUA==
DoafUba91Bo1xbahrLegAJM9oe8=
owwVtzbvRgDKNXLAzqwrDNGFpTe33Icp
kQMRCcXUvNWa4OrZxJFt9JM9oe8=
ViF1HZskhw7WOrenND/Q2ZVRhy+33Icp
3rGLk2t/q4coVQ==
L2/L3M8P5DMaGpN/6LvKmJM9oe8=
gameikanjoker123.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
nwbaihgld.exenwbaihgld.exepid process 1548 nwbaihgld.exe 904 nwbaihgld.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nwbaihgld.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation nwbaihgld.exe -
Loads dropped DLL 3 IoCs
Processes:
DHL INVOICE#-002834.exenwbaihgld.exeNAPSTAT.EXEpid process 1544 DHL INVOICE#-002834.exe 1548 nwbaihgld.exe 1476 NAPSTAT.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nwbaihgld.exenwbaihgld.exeNAPSTAT.EXEdescription pid process target process PID 1548 set thread context of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 904 set thread context of 1220 904 nwbaihgld.exe Explorer.EXE PID 1476 set thread context of 1220 1476 NAPSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
NAPSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NAPSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
nwbaihgld.exeNAPSTAT.EXEpid process 904 nwbaihgld.exe 904 nwbaihgld.exe 904 nwbaihgld.exe 904 nwbaihgld.exe 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
nwbaihgld.exenwbaihgld.exeNAPSTAT.EXEpid process 1548 nwbaihgld.exe 904 nwbaihgld.exe 904 nwbaihgld.exe 904 nwbaihgld.exe 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE 1476 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nwbaihgld.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 904 nwbaihgld.exe Token: SeDebugPrivilege 1476 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
DHL INVOICE#-002834.exenwbaihgld.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1544 wrote to memory of 1548 1544 DHL INVOICE#-002834.exe nwbaihgld.exe PID 1544 wrote to memory of 1548 1544 DHL INVOICE#-002834.exe nwbaihgld.exe PID 1544 wrote to memory of 1548 1544 DHL INVOICE#-002834.exe nwbaihgld.exe PID 1544 wrote to memory of 1548 1544 DHL INVOICE#-002834.exe nwbaihgld.exe PID 1548 wrote to memory of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 1548 wrote to memory of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 1548 wrote to memory of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 1548 wrote to memory of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 1548 wrote to memory of 904 1548 nwbaihgld.exe nwbaihgld.exe PID 1220 wrote to memory of 1476 1220 Explorer.EXE NAPSTAT.EXE PID 1220 wrote to memory of 1476 1220 Explorer.EXE NAPSTAT.EXE PID 1220 wrote to memory of 1476 1220 Explorer.EXE NAPSTAT.EXE PID 1220 wrote to memory of 1476 1220 Explorer.EXE NAPSTAT.EXE PID 1476 wrote to memory of 844 1476 NAPSTAT.EXE Firefox.exe PID 1476 wrote to memory of 844 1476 NAPSTAT.EXE Firefox.exe PID 1476 wrote to memory of 844 1476 NAPSTAT.EXE Firefox.exe PID 1476 wrote to memory of 844 1476 NAPSTAT.EXE Firefox.exe PID 1476 wrote to memory of 844 1476 NAPSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe" C:\Users\Admin\AppData\Local\Temp\xlpgzp.d3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lfpawsddp.vnbFilesize
185KB
MD563197a586b382ba5464003f7275236e6
SHA1f2073ba4af95098e71bbb384383a227aecce8f35
SHA256d411c5620287a19b2e4c41e7e1ae4e459199feb864c292304e21be73ea9029e6
SHA512ab02ec855769551f784a7ee6287519648e0302cd0b1ddb3135bf5c635231d175aa7fa97d8cd27045bb2408c438150375498eea25a43104e0c6458a0adff44eb0
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\xlpgzp.dFilesize
5KB
MD5d18c95ac432c99f8258833f63a5d2596
SHA168b4b9a95a574b05100c693b6f5a74ab2fd24351
SHA2567a756c0994c7bd8ee13469088db0facaf20dac4b8ac46ad891cc9429af0c10c6
SHA51223e49e410c676d8de243c90eed7e8ce97fa15a0ad617dc5cd3dd89e7492d28cd565dbdbbd367f428d85a0c4efb3ed28130ea1ae1d3e224cb9af42b0fbda992ac
-
\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
1.0MB
MD5ce5c15b5092877974d5b6476ad1cb2d7
SHA176a6fc307d1524081cba1886d312df97c9dd658f
SHA2561f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24
SHA512bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90
-
memory/904-66-0x0000000000B90000-0x0000000000E93000-memory.dmpFilesize
3.0MB
-
memory/904-62-0x00000000004012B0-mapping.dmp
-
memory/904-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/904-65-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/904-67-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/1220-77-0x0000000006C60000-0x0000000006DCA000-memory.dmpFilesize
1.4MB
-
memory/1220-68-0x0000000006500000-0x0000000006620000-memory.dmpFilesize
1.1MB
-
memory/1220-74-0x0000000006C60000-0x0000000006DCA000-memory.dmpFilesize
1.4MB
-
memory/1476-72-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/1476-71-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1476-70-0x0000000000100000-0x0000000000146000-memory.dmpFilesize
280KB
-
memory/1476-73-0x0000000000420000-0x00000000004AF000-memory.dmpFilesize
572KB
-
memory/1476-69-0x0000000000000000-mapping.dmp
-
memory/1476-75-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1548-56-0x0000000000000000-mapping.dmp