b10a2b32b0de00faddaf167bef405952be39d31f0236aaedc975654ef70f6800

Analysis

max time kernel
90s
max time network
80s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Original Documents.exe
Size

1.7MB
MD5

14b11f327b8ff84f50d86fb3f2fb20b5
SHA1

8ec121159f7c887fc76edb8b753c77d455ec2f7a
SHA256

b10a2b32b0de00faddaf167bef405952be39d31f0236aaedc975654ef70f6800
SHA512

897b3f4f0d8d34c0e1f36abf9ec4f340293d08b752c80886b358811de010a6e735b53194fedc73e15618a532f02f7968784fbd7f25cf927d2192acf5301e805e
SSDEEP

49152:3VOYAsQBjPOPppNszMoXmp2hEqfvQsT93:lOHDjPCvszMoXEYQod

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	DHL Original Documents.exe
2036	DHL Original Documents.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
272	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1388	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
884	powershell.exe
2036	DHL Original Documents.exe
2036	DHL Original Documents.exe
2036	DHL Original Documents.exe
2036	DHL Original Documents.exe
2036	DHL Original Documents.exe
1552	powershell.exe
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe
1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 884	2036	DHL Original Documents.exe	28
PID 2036 wrote to memory of 884	2036	DHL Original Documents.exe	28
PID 2036 wrote to memory of 884	2036	DHL Original Documents.exe	28
PID 2036 wrote to memory of 884	2036	DHL Original Documents.exe	28
PID 2036 wrote to memory of 272	2036	DHL Original Documents.exe	32
PID 2036 wrote to memory of 272	2036	DHL Original Documents.exe	32
PID 2036 wrote to memory of 272	2036	DHL Original Documents.exe	32
PID 2036 wrote to memory of 272	2036	DHL Original Documents.exe	32
PID 2036 wrote to memory of 1760	2036	DHL Original Documents.exe	34
PID 2036 wrote to memory of 1760	2036	DHL Original Documents.exe	34
PID 2036 wrote to memory of 1760	2036	DHL Original Documents.exe	34
PID 2036 wrote to memory of 1760	2036	DHL Original Documents.exe	34
PID 1760 wrote to memory of 1552	1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe	35
PID 1760 wrote to memory of 1552	1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe	35
PID 1760 wrote to memory of 1552	1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe	35
PID 1760 wrote to memory of 1552	1760	Lemahaq doperime soji rotafoyo volir kaquoquo.exe	35
PID 2036 wrote to memory of 268	2036	DHL Original Documents.exe	36
PID 2036 wrote to memory of 268	2036	DHL Original Documents.exe	36
PID 2036 wrote to memory of 268	2036	DHL Original Documents.exe	36
PID 2036 wrote to memory of 268	2036	DHL Original Documents.exe	36
PID 268 wrote to memory of 1584	268	cmd.exe	39
PID 268 wrote to memory of 1584	268	cmd.exe	39
PID 268 wrote to memory of 1584	268	cmd.exe	39
PID 268 wrote to memory of 1584	268	cmd.exe	39
PID 268 wrote to memory of 1388	268	cmd.exe	40
PID 268 wrote to memory of 1388	268	cmd.exe	40
PID 268 wrote to memory of 1388	268	cmd.exe	40
PID 268 wrote to memory of 1388	268	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\DHL Original Documents.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Original Documents.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe"
  2⤵
  - Creates scheduled task(s)
  PID:272
- C:\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe
  "C:\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\DHL Original Documents.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5b42b91b5df44dbb9a01de3bbc724ae2

SHA1
f1006cb9cf72944ff008e8f061a424540229f745

SHA256
69a76df227c519da9455252ba51a615c0b1efecc6c9f761180a526cec1b0d438

SHA512
a8ed1369c03434510325fda1a2017cbdbcdd87068b27e77c6af4b3cdd940dac75558e8c1bcb50d8c58128ffbc8571d3a7a95ef095e75e620dbf2e2d370343b26

Download Submit
C:\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe

Filesize
562.6MB

MD5
688669718cb2a332782384f0d1b4964c

SHA1
9dea3ded7132c9d9c5fe618eb6161175ece4de41

SHA256
f7f1f30b6a5d51dc29a6b43645d6dd7b9dcdde7730d8ca172c248ac676d64450

SHA512
85e4cde89ce9152832dba5c0d0cc99da6cdf096819eacbbd2223052cb3b99ce2de4023ca96e4df1d10694caba41f8ea244a87d8e1099296fd8e0b6fd6fc47999

Download Submit
\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe

Filesize
615.6MB

MD5
eaac7d229b6ceadddd4254349b989433

SHA1
1cb84ad7c3f81006ce27994fa6be06192cb39879

SHA256
9bb8fa3da48f4d2e1be07fc56d595aa60941d443776f462d0ab5793e826d12de

SHA512
ec99b0bb8c8fbf5d12b43882055a472a0ddc1a5abafe7be1ef60b3d1d177805eb0bf963c53e7dc1dcfc1c9bb47f66943ebef1f082329e8572425508608fa9e62

Download Submit
\Users\Admin\xogawol xini metebiy lab cequaret cipej gafere\Lemahaq doperime soji rotafoyo volir kaquoquo.exe

Filesize
609.4MB

MD5
f9abbeb0325e52d12e13ecf52115cf86

SHA1
9ba0e058b71b1bf228da4398599518201ec77207

SHA256
68a9e1eaf3a2eb00e0a79047ee93c26fc2f0081b270e419d6454496e4c13c3fe

SHA512
d93e11e20a297bedc710464dcaf5ddbfa743f0c2f1777a90162aaf7ecf056014962054a7972dd696bf5c8751efcd691502e106c8f759723310c0ede51d916b75

Download Submit
memory/268-69-0x0000000000000000-mapping.dmp

Download
memory/272-62-0x0000000000000000-mapping.dmp

Download
memory/884-55-0x0000000000000000-mapping.dmp

Download
memory/884-57-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/884-58-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/884-59-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/1388-73-0x0000000000000000-mapping.dmp

Download
memory/1552-75-0x0000000073240000-0x00000000737EB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-76-0x0000000073240000-0x00000000737EB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-68-0x0000000000000000-mapping.dmp

Download
memory/1552-77-0x0000000073240000-0x00000000737EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-72-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000001010000-0x000000000117A000-memory.dmp

Filesize
1.4MB

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1760-79-0x0000000001010000-0x000000000117A000-memory.dmp

Filesize
1.4MB

Download
memory/1760-80-0x000000000C760000-0x000000000C939000-memory.dmp

Filesize
1.8MB

Download
memory/1760-81-0x000000000C760000-0x000000000C924000-memory.dmp

Filesize
1.8MB

Download
memory/1760-82-0x0000000001010000-0x000000000117A000-memory.dmp

Filesize
1.4MB

Download
memory/1760-83-0x0000000001010000-0x000000000117A000-memory.dmp

Filesize
1.4MB

Download
memory/2036-60-0x0000000002B80000-0x0000000002CEA000-memory.dmp

Filesize
1.4MB

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2036-61-0x0000000002B80000-0x0000000002CEA000-memory.dmp

Filesize
1.4MB

Download
memory/2036-70-0x0000000002B80000-0x0000000002CEA000-memory.dmp

Filesize
1.4MB

Download