639bf7ee39d021e52f513f8f18a28403a6022dbd7f0a63dd5fb7a097ece5a6f5

General

Target

DHL Notification_pdf.exe
Size

381KB
MD5

a9f7999b4e36f74de3c8309745eb7456
SHA1

6b6d4bedf95a1795a2be331d8912cdded013100a
SHA256

639bf7ee39d021e52f513f8f18a28403a6022dbd7f0a63dd5fb7a097ece5a6f5
SHA512

7c72940eb27e60a0f2c11ee8d95efd361985d7eb6fe770c8cb07911b70cf3eca1c2a88c06a04812b7142544911a2a726d2b5bd7a3be9edfec26f66d5a719c17d
SSDEEP

6144:8Ya6w8IPXKtO8tPGFlTcyLpsFecHG4mBJ5w2cR9XyJt9p5Xo7:8Yi8Q6wDFlTcyaF5GDBJC2cRRat9p5X6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	rmoeeolnph.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	rmoeeolnph.exe
296	rmoeeolnph.exe

Loads dropped DLL 2 IoCs

pid	Process
1376	DHL Notification_pdf.exe
1724	rmoeeolnph.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 296	1724	rmoeeolnph.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe
296	rmoeeolnph.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1724	rmoeeolnph.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	rmoeeolnph.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1724	1376	DHL Notification_pdf.exe	28
PID 1376 wrote to memory of 1724	1376	DHL Notification_pdf.exe	28
PID 1376 wrote to memory of 1724	1376	DHL Notification_pdf.exe	28
PID 1376 wrote to memory of 1724	1376	DHL Notification_pdf.exe	28
PID 1724 wrote to memory of 296	1724	rmoeeolnph.exe	29
PID 1724 wrote to memory of 296	1724	rmoeeolnph.exe	29
PID 1724 wrote to memory of 296	1724	rmoeeolnph.exe	29
PID 1724 wrote to memory of 296	1724	rmoeeolnph.exe	29
PID 1724 wrote to memory of 296	1724	rmoeeolnph.exe	29

C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
  "C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe" C:\Users\Admin\AppData\Local\Temp\tutkl.b
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
    "C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fsopu.d

Filesize
206KB

MD5
3ab3733202757982f7a7f403c93e8d0d

SHA1
a72e38673df5a4073faaecd523be56cef60a51de

SHA256
f443fbc8f01584c7fd414501ea5c9c39195422ed285824dd6290b623a5a58c6d

SHA512
72d89a69ab1c96d6488a6cf3dbaee324b89e2139b17f6cd6864123cf0910a80ab48ad06b0950834f45783cbddc09e10cdf69606ceffeabcec73899f69f9733cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe

Filesize
46KB

MD5
431309869807d899963cbc9c0f0ee9b6

SHA1
31d2f409f0e175ce5633147adf167c30f6ba89ea

SHA256
cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

SHA512
ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe

Filesize
46KB

MD5
431309869807d899963cbc9c0f0ee9b6

SHA1
31d2f409f0e175ce5633147adf167c30f6ba89ea

SHA256
cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

SHA512
ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe

Filesize
46KB

MD5
431309869807d899963cbc9c0f0ee9b6

SHA1
31d2f409f0e175ce5633147adf167c30f6ba89ea

SHA256
cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

SHA512
ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tutkl.b

Filesize
5KB

MD5
abbda4d9b8c01204c9e53a440e38fc66

SHA1
1a7c7ae8b554bde84e1fdb5643ada21a2479775e

SHA256
525ac97b0f7aca3db1c69b1d3fe458f9b2c3be1548ce6fd17e12462d98921239

SHA512
dbea14bfc8bbaa8b82683217c8653e3858b4fa55a1062f1a19618de85b24b8f41ddec2fc8b7964fc569d0994b1da1b9b472d6413aec3f97c6e319cf9e9cca735

Download Submit
\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe

Filesize
46KB

MD5
431309869807d899963cbc9c0f0ee9b6

SHA1
31d2f409f0e175ce5633147adf167c30f6ba89ea

SHA256
cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

SHA512
ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

Download Submit
\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe

Filesize
46KB

MD5
431309869807d899963cbc9c0f0ee9b6

SHA1
31d2f409f0e175ce5633147adf167c30f6ba89ea

SHA256
cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

SHA512
ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

Download Submit
memory/296-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/296-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/296-69-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/296-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing