Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL_INVOICE#-00834.exe
Resource
win7-20220812-en
General
-
Target
DHL_INVOICE#-00834.exe
-
Size
262KB
-
MD5
c4c96fd02d8673927cf596fc80cd8647
-
SHA1
8b5c6d26685f5c0373ba95ea3f5c76e19a1548de
-
SHA256
e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377
-
SHA512
3f72d7cee8db3e880b33ef483f5e706d2e9308582d60385660a2ae4b37a7e879cd7fa01b1c583e0e7399b51f9887ce384333754282c783d85953ff0edaf17696
-
SSDEEP
6144:NBn0lN4V4dffxSB8diLsh6JUIbcubtlVzNb:EDXxSBxLshR/ubzVh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fbtgbm.exefbtgbm.exepid process 1708 fbtgbm.exe 912 fbtgbm.exe -
Loads dropped DLL 5 IoCs
Processes:
DHL_INVOICE#-00834.exefbtgbm.exeWerFault.exepid process 364 DHL_INVOICE#-00834.exe 1708 fbtgbm.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fbtgbm.exedescription pid process target process PID 1708 set thread context of 912 1708 fbtgbm.exe fbtgbm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 984 912 WerFault.exe fbtgbm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fbtgbm.exepid process 1708 fbtgbm.exe 1708 fbtgbm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL_INVOICE#-00834.exefbtgbm.exefbtgbm.exedescription pid process target process PID 364 wrote to memory of 1708 364 DHL_INVOICE#-00834.exe fbtgbm.exe PID 364 wrote to memory of 1708 364 DHL_INVOICE#-00834.exe fbtgbm.exe PID 364 wrote to memory of 1708 364 DHL_INVOICE#-00834.exe fbtgbm.exe PID 364 wrote to memory of 1708 364 DHL_INVOICE#-00834.exe fbtgbm.exe PID 1708 wrote to memory of 912 1708 fbtgbm.exe fbtgbm.exe PID 1708 wrote to memory of 912 1708 fbtgbm.exe fbtgbm.exe PID 1708 wrote to memory of 912 1708 fbtgbm.exe fbtgbm.exe PID 1708 wrote to memory of 912 1708 fbtgbm.exe fbtgbm.exe PID 1708 wrote to memory of 912 1708 fbtgbm.exe fbtgbm.exe PID 912 wrote to memory of 984 912 fbtgbm.exe WerFault.exe PID 912 wrote to memory of 984 912 fbtgbm.exe WerFault.exe PID 912 wrote to memory of 984 912 fbtgbm.exe WerFault.exe PID 912 wrote to memory of 984 912 fbtgbm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe" C:\Users\Admin\AppData\Local\Temp\uynbaziu.t2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 364⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\imzbj.qmFilesize
185KB
MD550ad533858f9a65a0ce926bf0b396619
SHA1ae88e2d52163e66666ef78f6559db7534dd9dbb6
SHA2567fdbf2b32a07ce5b22762439f2251725170fe4bef290e07ac566b1a0b4c6cb64
SHA5123d13a4faa0719e531f7ed00ca841b9bffa360c3fadd3c34697d4b1ab27bdcfce27f79e80e9e5fa5a62baaec70d78040ac1092b3f97bed45ee748638cde8887f3
-
C:\Users\Admin\AppData\Local\Temp\uynbaziu.tFilesize
5KB
MD5fd876a99321992ceaff68b84bbdbbbe0
SHA10239567f1a08dd305fe9351783abc9c2ce67c2d8
SHA256d9faf20ff13fff6619c79af16313646de9d13e9d6686c1ca91c596b50a89dabd
SHA5126901a2b7eae60cab62688e8028a51c0eea5487825e7bc7cc52a126040df405171609dd45e8fbb8a8a5af5b9d4ba3745a83eda07993339f24968113cd548237cd
-
\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/912-63-0x00000000000812B0-mapping.dmp
-
memory/984-65-0x0000000000000000-mapping.dmp
-
memory/1708-56-0x0000000000000000-mapping.dmp