Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 17:22
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE#-002834.exe
Resource
win7-20220901-en
General
-
Target
DHL INVOICE#-002834.exe
-
Size
306KB
-
MD5
9564349d362fe854594e13217800ea9f
-
SHA1
5067b33410d6a859f96e07d7fa006446b5e3abdb
-
SHA256
4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1
-
SHA512
d919fbc75fd973ddd8e425b728d3ab7c251b5671493517d4eb8e825f6b26a4b5f36d70468b171a336bafcc6c8eaf9deea3c31af7ba26b9ba1aee9649b0b5a1ca
-
SSDEEP
6144:NBn0JAr0W067hhLsgQfQIRHWGdEzFgu+sdIEOZz9Kgzl:EerA67sF9Hj2RzEkql
Malware Config
Extracted
formbook
codp
WLwbp9IgDF0DRbuq
oNQ7DHBzVHVMTxxxFCORk65Z5w==
eKyDm2P0S8i8tXrGSRxyN/GB+g==
DWLDupksnDvfKi7Q7PI=
JAaYbOFx1G0f4pcM36gDB3YaG796
KWQ71Z4U7+2Nv8K72OXED5M9oe8=
YJpvEHW5TU/wL02R9TiN0A==
tpQX78fPprFMi7ocSgXfUNYKpTq33Icp
a9Z0eju3FKFA/YBy+MQfG3QaG796
uQzt58fSssDUenxacQCY2g==
vijGzYPYOfi2gxZLhlbA
kZfzlQg7IGPxc29BJA==
dcQu+blQlxGyZu7qw5P4L6s=
TTIXAcXMr85yqqvxWBMqdrw=
xZb/tyGC8sOjIS7Q7PI=
KnzenvO+cXkVS3biKfRDwJ9Q5Q==
ZqZvDt9+yYxqh1Si
vZD8CtVZigY/cqnmLA==
QJy2dd/p0MO1Ji7Q7PI=
l+Hmoea3jsiAcqnmLA==
j19MVSQr/CceRbwAwBMqdrw=
vS+9sWn2gDVJYeHZaHTPCN9ywAEKVg==
blpyOo9dQZt5ZxddwQVmww==
IOs9KPQyS0gISA==
nn/ZeuJwB9m55jogOw==
M49wUTbsPAwOcqnmLA==
WqL2DMvly8XMWUkzLPvkgjf1aM5QNRk=
fd7UqRCiNTCiTs+3
vY9pE5GVeJJKMpNw0Imsk65Z5w==
PoplGWGv//+qJC7Q7PI=
d8msQUS/1UNH
g3JQ+nF3X3cfRU7V4us=
CEaYiEEOXyvzU07V4us=
lWFpIAPKKBaU90M=
TzIO/uHUaDELiHVWcQCY2g==
C23Tr3r7VMWspGfecQCY2g==
nqSKdTr0YhS+hBlLhlbA
tqY5MRsZX3MVS0YS8eY=
9MouOBNcWth14KOG9e1CFHYaG796
pKi80FPSajXvnxxLhlbA
RBb0/dHxCF8DRbuq
H2JA8ah0Bg4ScqnmLA==
Ui6WUnCpdrSBlN+xk1450g==
dXUNxi54AIl/E/W/tLmhAJM9oe8=
g8SPLINNHWVYb9gTSBMqdrw=
ld0F/BjbTxaU90M=
jmTquCeAzJmZHGHL7sydCpM9oe8=
K25MOh0tGDTYolGNUQ1yxw==
B1Ozd8XF67PJZGdHJA==
Py0TshQX8wvo4n5WcQCY2g==
G378nwBW6hJ73dDIcfo=
lebDk/+/1UNH
sO5QF9cf+lLssy7Q7PI=
mu50P/Y9kRfOLS7Q7PI=
Akgd/+60CxK1KVo=
wxp6MYyFq4coVQ==
XinIiM8UXijMrUh19sfnOvav
N7THlsfP5amkUA==
DoafUba91Bo1xbahrLegAJM9oe8=
owwVtzbvRgDKNXLAzqwrDNGFpTe33Icp
kQMRCcXUvNWa4OrZxJFt9JM9oe8=
ViF1HZskhw7WOrenND/Q2ZVRhy+33Icp
3rGLk2t/q4coVQ==
L2/L3M8P5DMaGpN/6LvKmJM9oe8=
gameikanjoker123.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
nwbaihgld.exenwbaihgld.exepid process 4232 nwbaihgld.exe 3504 nwbaihgld.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nwbaihgld.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation nwbaihgld.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nwbaihgld.exenwbaihgld.exemsiexec.exedescription pid process target process PID 4232 set thread context of 3504 4232 nwbaihgld.exe nwbaihgld.exe PID 3504 set thread context of 3044 3504 nwbaihgld.exe Explorer.EXE PID 4948 set thread context of 3044 4948 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
nwbaihgld.exemsiexec.exepid process 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
nwbaihgld.exenwbaihgld.exemsiexec.exepid process 4232 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 3504 nwbaihgld.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe 4948 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nwbaihgld.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3504 nwbaihgld.exe Token: SeDebugPrivilege 4948 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL INVOICE#-002834.exenwbaihgld.exeExplorer.EXEmsiexec.exedescription pid process target process PID 2512 wrote to memory of 4232 2512 DHL INVOICE#-002834.exe nwbaihgld.exe PID 2512 wrote to memory of 4232 2512 DHL INVOICE#-002834.exe nwbaihgld.exe PID 2512 wrote to memory of 4232 2512 DHL INVOICE#-002834.exe nwbaihgld.exe PID 4232 wrote to memory of 3504 4232 nwbaihgld.exe nwbaihgld.exe PID 4232 wrote to memory of 3504 4232 nwbaihgld.exe nwbaihgld.exe PID 4232 wrote to memory of 3504 4232 nwbaihgld.exe nwbaihgld.exe PID 4232 wrote to memory of 3504 4232 nwbaihgld.exe nwbaihgld.exe PID 3044 wrote to memory of 4948 3044 Explorer.EXE msiexec.exe PID 3044 wrote to memory of 4948 3044 Explorer.EXE msiexec.exe PID 3044 wrote to memory of 4948 3044 Explorer.EXE msiexec.exe PID 4948 wrote to memory of 3612 4948 msiexec.exe Firefox.exe PID 4948 wrote to memory of 3612 4948 msiexec.exe Firefox.exe PID 4948 wrote to memory of 3612 4948 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe" C:\Users\Admin\AppData\Local\Temp\xlpgzp.d3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lfpawsddp.vnbFilesize
185KB
MD563197a586b382ba5464003f7275236e6
SHA1f2073ba4af95098e71bbb384383a227aecce8f35
SHA256d411c5620287a19b2e4c41e7e1ae4e459199feb864c292304e21be73ea9029e6
SHA512ab02ec855769551f784a7ee6287519648e0302cd0b1ddb3135bf5c635231d175aa7fa97d8cd27045bb2408c438150375498eea25a43104e0c6458a0adff44eb0
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exeFilesize
98KB
MD55a5ff44ad9dbf2ad128e94d9f2cd5932
SHA16b0a95040616a32343d812ddd5398b0139c6a5e8
SHA25638ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f
SHA512029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4
-
C:\Users\Admin\AppData\Local\Temp\xlpgzp.dFilesize
5KB
MD5d18c95ac432c99f8258833f63a5d2596
SHA168b4b9a95a574b05100c693b6f5a74ab2fd24351
SHA2567a756c0994c7bd8ee13469088db0facaf20dac4b8ac46ad891cc9429af0c10c6
SHA51223e49e410c676d8de243c90eed7e8ce97fa15a0ad617dc5cd3dd89e7492d28cd565dbdbbd367f428d85a0c4efb3ed28130ea1ae1d3e224cb9af42b0fbda992ac
-
memory/3044-143-0x00000000080B0000-0x0000000008166000-memory.dmpFilesize
728KB
-
memory/3044-152-0x0000000008170000-0x00000000082BC000-memory.dmpFilesize
1.3MB
-
memory/3044-150-0x0000000008170000-0x00000000082BC000-memory.dmpFilesize
1.3MB
-
memory/3044-148-0x00000000080B0000-0x0000000008166000-memory.dmpFilesize
728KB
-
memory/3504-137-0x0000000000000000-mapping.dmp
-
memory/3504-141-0x0000000001950000-0x0000000001C9A000-memory.dmpFilesize
3.3MB
-
memory/3504-142-0x0000000001610000-0x0000000001620000-memory.dmpFilesize
64KB
-
memory/3504-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3504-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4232-132-0x0000000000000000-mapping.dmp
-
memory/4948-144-0x0000000000000000-mapping.dmp
-
memory/4948-145-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/4948-146-0x0000000000110000-0x000000000013D000-memory.dmpFilesize
180KB
-
memory/4948-147-0x00000000021C0000-0x000000000250A000-memory.dmpFilesize
3.3MB
-
memory/4948-149-0x0000000002050000-0x00000000020DF000-memory.dmpFilesize
572KB
-
memory/4948-151-0x0000000000110000-0x000000000013D000-memory.dmpFilesize
180KB