651db78cf227322aa6d3f4ec967eebe97d0cc9bb26a39a06efd143e0e093208d

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/03/2023, 07:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DHL ORIGINAH INVOICE_pdf.exe
Size

260KB
MD5

6ddfa3ae8f08785383dab866c47a155f
SHA1

822faf00e2e055b76b388f4c2ca2661fee94f3fc
SHA256

651db78cf227322aa6d3f4ec967eebe97d0cc9bb26a39a06efd143e0e093208d
SHA512

2dfb48f7bad924464fe8871ea4b52cba714ab7f253ffe47a21836d144fabf6becdfb0ea041cf99af1e48f1f6bdf844648ab7ff238bceb8d3ed1109c93d40e719
SSDEEP

6144:PYa6vUH5p23AlZTs6KxWB3bYTAIptYhyOG+tl50rbGsa6kgo:PY9gp24tKxWB3MTAAtoG+tl50nGF3go

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\International\Geo\Nation	wtvomhespb.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	wtvomhespb.exe
1932	wtvomhespb.exe

Loads dropped DLL 4 IoCs

pid	Process
1408	DHL ORIGINAH INVOICE_pdf.exe
1408	DHL ORIGINAH INVOICE_pdf.exe
1716	wtvomhespb.exe
1492	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1932	1716	wtvomhespb.exe	29
PID 1932 set thread context of 1212	1932	wtvomhespb.exe	12
PID 1492 set thread context of 1212	1492	chkdsk.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3430344531-3702557399-3004411149-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1932	wtvomhespb.exe
1932	wtvomhespb.exe
1932	wtvomhespb.exe
1932	wtvomhespb.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1716	wtvomhespb.exe
1932	wtvomhespb.exe
1932	wtvomhespb.exe
1932	wtvomhespb.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe
1492	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	wtvomhespb.exe
Token: SeDebugPrivilege	1492	chkdsk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1716	1408	DHL ORIGINAH INVOICE_pdf.exe	28
PID 1408 wrote to memory of 1716	1408	DHL ORIGINAH INVOICE_pdf.exe	28
PID 1408 wrote to memory of 1716	1408	DHL ORIGINAH INVOICE_pdf.exe	28
PID 1408 wrote to memory of 1716	1408	DHL ORIGINAH INVOICE_pdf.exe	28
PID 1716 wrote to memory of 1932	1716	wtvomhespb.exe	29
PID 1716 wrote to memory of 1932	1716	wtvomhespb.exe	29
PID 1716 wrote to memory of 1932	1716	wtvomhespb.exe	29
PID 1716 wrote to memory of 1932	1716	wtvomhespb.exe	29
PID 1716 wrote to memory of 1932	1716	wtvomhespb.exe	29
PID 1212 wrote to memory of 1492	1212	Explorer.EXE	30
PID 1212 wrote to memory of 1492	1212	Explorer.EXE	30
PID 1212 wrote to memory of 1492	1212	Explorer.EXE	30
PID 1212 wrote to memory of 1492	1212	Explorer.EXE	30
PID 1492 wrote to memory of 2024	1492	chkdsk.exe	33
PID 1492 wrote to memory of 2024	1492	chkdsk.exe	33
PID 1492 wrote to memory of 2024	1492	chkdsk.exe	33
PID 1492 wrote to memory of 2024	1492	chkdsk.exe	33
PID 1492 wrote to memory of 2024	1492	chkdsk.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\DHL ORIGINAH INVOICE_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL ORIGINAH INVOICE_pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe
    "C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe" C:\Users\Admin\AppData\Local\Temp\rhmcjqgjyq.dm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe
      "C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hf5tebyx.zip

Filesize
438KB

MD5
9ec4d0fe38cb4de94d578bfd72c8eebd

SHA1
e316282a617c5f0c40c488de79c73cf13c8baaf2

SHA256
2402c65692d0a822d7931489d1bbf29fa9bfbf210819c1614dd8d2350e747f2f

SHA512
a3d1ff3c516cf2c6548e03d68eeaff530acc794e1f76253d46b092183bd762c1126160dd611e0d3ceec5d0664d946e5d154b8dc88b1bccf606b57cfd59a31201

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhmcjqgjyq.dm

Filesize
5KB

MD5
55e6c7af121c0e3b9a3c8c1fa0613830

SHA1
990997c3ab67fced6071a1f538fcaaf3f12122c4

SHA256
d2b427b2c6496120ee314a96270a4046736a814262d6bb784c9601975d4355fb

SHA512
f6a73a7504ae7defe159018264bcf87dc6378ab1da09dc0fe0017932d8a77acda50e3702f74ca25d26a0b12e600e70d77f18049f25600d3a2da9c4e35f8730fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgmjj.kkn

Filesize
206KB

MD5
0a395191e87ca472842480f3ccc1b557

SHA1
adb9e8406fc2c93d71de31e86bb35c1a78131e08

SHA256
536f5a130c7a301a2ae0e301bac2f2f6e151a3a9d81aa16afa2f4b1e7fc12769

SHA512
497169831d901f62f7bdb9909a0cd38a3aef2bde8674aaedb4d8e55bbba395910990324a8b6e6f9e33a1819d386088b57a4f61e8a666f973b591797cb15e9418

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
837KB

MD5
e1b58e0aa1b377a1d0e940660ad1ace1

SHA1
5afc7291b26855b1252b26381ebc85ed3cca218f

SHA256
1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

SHA512
9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

Download Submit
\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
\Users\Admin\AppData\Local\Temp\wtvomhespb.exe

Filesize
34KB

MD5
02c5962662e5b4206e2d57d7706fe973

SHA1
14f91b2bcaa9cc4aef6c41aa823f38c88cbcdc10

SHA256
1cc81185114838157f66817c435cbadfdb7df88a9848707ebdcccfd56c20a0fe

SHA512
e7cfc7df46728d5b6e235a437688b83e1e6177e23b8cbe6d78cfccf9ad64d4ffe6dedd29cdf28c68c911cef1571e443dac38bd31abeb7478e13b90a3950a65f8

Download Submit
memory/1212-108-0x000007FF16200000-0x000007FF1620A000-memory.dmp

Filesize
40KB

Download
memory/1212-132-0x000007FF16200000-0x000007FF1620A000-memory.dmp

Filesize
40KB

Download
memory/1212-86-0x0000000004150000-0x00000000041F6000-memory.dmp

Filesize
664KB

Download
memory/1212-75-0x0000000004940000-0x0000000004A0A000-memory.dmp

Filesize
808KB

Download
memory/1212-83-0x0000000004150000-0x00000000041F6000-memory.dmp

Filesize
664KB

Download
memory/1492-81-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1492-80-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1492-79-0x0000000000C50000-0x0000000000C57000-memory.dmp

Filesize
28KB

Download
memory/1492-82-0x0000000000960000-0x00000000009EF000-memory.dmp

Filesize
572KB

Download
memory/1492-77-0x0000000000C50000-0x0000000000C57000-memory.dmp

Filesize
28KB

Download
memory/1492-129-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/1932-74-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1932-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-72-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1932-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download