Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

DHL Notifi...df.exe

windows7-x64

7

DHL Notifi...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2023, 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Notification_pdf.exe

  • Size

    381KB

  • MD5

    a9f7999b4e36f74de3c8309745eb7456

  • SHA1

    6b6d4bedf95a1795a2be331d8912cdded013100a

  • SHA256

    639bf7ee39d021e52f513f8f18a28403a6022dbd7f0a63dd5fb7a097ece5a6f5

  • SHA512

    7c72940eb27e60a0f2c11ee8d95efd361985d7eb6fe770c8cb07911b70cf3eca1c2a88c06a04812b7142544911a2a726d2b5bd7a3be9edfec26f66d5a719c17d

  • SSDEEP

    6144:8Ya6w8IPXKtO8tPGFlTcyLpsFecHG4mBJ5w2cR9XyJt9p5Xo7:8Yi8Q6wDFlTcyaF5GDBJC2cRRat9p5X6

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
      "C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe" C:\Users\Admin\AppData\Local\Temp\tutkl.b
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
        "C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fsopu.d
    Filesize

    206KB

    MD5

    3ab3733202757982f7a7f403c93e8d0d

    SHA1

    a72e38673df5a4073faaecd523be56cef60a51de

    SHA256

    f443fbc8f01584c7fd414501ea5c9c39195422ed285824dd6290b623a5a58c6d

    SHA512

    72d89a69ab1c96d6488a6cf3dbaee324b89e2139b17f6cd6864123cf0910a80ab48ad06b0950834f45783cbddc09e10cdf69606ceffeabcec73899f69f9733cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
    Filesize

    46KB

    MD5

    431309869807d899963cbc9c0f0ee9b6

    SHA1

    31d2f409f0e175ce5633147adf167c30f6ba89ea

    SHA256

    cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

    SHA512

    ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
    Filesize

    46KB

    MD5

    431309869807d899963cbc9c0f0ee9b6

    SHA1

    31d2f409f0e175ce5633147adf167c30f6ba89ea

    SHA256

    cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

    SHA512

    ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rmoeeolnph.exe
    Filesize

    46KB

    MD5

    431309869807d899963cbc9c0f0ee9b6

    SHA1

    31d2f409f0e175ce5633147adf167c30f6ba89ea

    SHA256

    cd8e651c1521e79ac77467cfc266d13c4e480b6ae1009883ae52187ddca8180f

    SHA512

    ff9de59c7c31f7400115884026e9138c3fba95b7fb43948c1ece01402649c5417879e575edda96e2490c5a4dd15d46b720dd66a4fca7d79b84c14e529a77559b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tutkl.b
    Filesize

    5KB

    MD5

    abbda4d9b8c01204c9e53a440e38fc66

    SHA1

    1a7c7ae8b554bde84e1fdb5643ada21a2479775e

    SHA256

    525ac97b0f7aca3db1c69b1d3fe458f9b2c3be1548ce6fd17e12462d98921239

    SHA512

    dbea14bfc8bbaa8b82683217c8653e3858b4fa55a1062f1a19618de85b24b8f41ddec2fc8b7964fc569d0994b1da1b9b472d6413aec3f97c6e319cf9e9cca735

    Download Submit

  • memory/4156-142-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4156-145-0x0000000000A50000-0x0000000000D9A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4156-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4160-140-0x0000000000580000-0x0000000000582000-memory.dmp

    Filesize

    8KB

    Download