Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Delivery Notification 27-9-23.exe
Resource
win7-20230831-en
General
-
Target
DHL Shipment Delivery Notification 27-9-23.exe
-
Size
323KB
-
MD5
d500caad040c54a8a064bb1ae1e02277
-
SHA1
02f4722d98277480d4d128e3321f156e0471bdde
-
SHA256
c261ace97411301444d9dfa50d29f9a0328e83ddf45bf15128ad9d796d050461
-
SHA512
1898e9b94b4cd314327473063b3d800f5eb91a7b5044d72f801251c0a42c8211646974ddd753a0f80dfdc647a056032d3041d41ecec7a890bca78c6751c4cde3
-
SSDEEP
6144:BnPdudwDs9iDkylpSqHCJLYFn+dBfSVuMKdWKPcmr5tT/RIQzNfov32ZzjWusiD/:BnPdw9iAmpbHCJLQneBaW8KPc2tlIQzp
Malware Config
Extracted
formbook
4.1
sn26
resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
zachmahl.com
Signatures
-
Formbook payload 6 IoCs
resource yara_rule behavioral1/memory/1888-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1888-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1888-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2608-25-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2608-28-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2608-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2784 wdjjinav.exe 1888 wdjjinav.exe -
Loads dropped DLL 2 IoCs
pid Process 1396 DHL Shipment Delivery Notification 27-9-23.exe 2784 wdjjinav.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2784 set thread context of 1888 2784 wdjjinav.exe 29 PID 1888 set thread context of 1280 1888 wdjjinav.exe 16 PID 1888 set thread context of 1280 1888 wdjjinav.exe 16 PID 2608 set thread context of 1280 2608 chkdsk.exe 16 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1888 wdjjinav.exe 1888 wdjjinav.exe 1888 wdjjinav.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe 2608 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2784 wdjjinav.exe 1888 wdjjinav.exe 1888 wdjjinav.exe 1888 wdjjinav.exe 1888 wdjjinav.exe 2608 chkdsk.exe 2608 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1888 wdjjinav.exe Token: SeDebugPrivilege 2608 chkdsk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2784 1396 DHL Shipment Delivery Notification 27-9-23.exe 28 PID 1396 wrote to memory of 2784 1396 DHL Shipment Delivery Notification 27-9-23.exe 28 PID 1396 wrote to memory of 2784 1396 DHL Shipment Delivery Notification 27-9-23.exe 28 PID 1396 wrote to memory of 2784 1396 DHL Shipment Delivery Notification 27-9-23.exe 28 PID 2784 wrote to memory of 1888 2784 wdjjinav.exe 29 PID 2784 wrote to memory of 1888 2784 wdjjinav.exe 29 PID 2784 wrote to memory of 1888 2784 wdjjinav.exe 29 PID 2784 wrote to memory of 1888 2784 wdjjinav.exe 29 PID 2784 wrote to memory of 1888 2784 wdjjinav.exe 29 PID 1280 wrote to memory of 2608 1280 Explorer.EXE 30 PID 1280 wrote to memory of 2608 1280 Explorer.EXE 30 PID 1280 wrote to memory of 2608 1280 Explorer.EXE 30 PID 1280 wrote to memory of 2608 1280 Explorer.EXE 30 PID 2608 wrote to memory of 2716 2608 chkdsk.exe 31 PID 2608 wrote to memory of 2716 2608 chkdsk.exe 31 PID 2608 wrote to memory of 2716 2608 chkdsk.exe 31 PID 2608 wrote to memory of 2716 2608 chkdsk.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery Notification 27-9-23.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Delivery Notification 27-9-23.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\wdjjinav.exe"C:\Users\Admin\AppData\Local\Temp\wdjjinav.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\wdjjinav.exe"C:\Users\Admin\AppData\Local\Temp\wdjjinav.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wdjjinav.exe"3⤵PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5b791c639d78cc21f869f2e5666ed72c5
SHA186aefeb3b6b2f6f008c60949ae26461cf88c7cdf
SHA2562104e7a2b6fb3f502fce6daba82b67039da9ee9db45ef6b087b5907b44b7b4c4
SHA5125eb0fd6c37e4bb273c19a1778867c8dcb53a0deb2b66aeae27b48094e6f7eec18357c4a034731dcc150223d3dcc6f8302be0c9fe4aa9f2d2b1609e74412ef457
-
Filesize
194KB
MD5d9360632962b8f895b4f33b76de6438e
SHA10a205e7d5436f0914a3000de9801424625a2eda4
SHA2561b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
SHA5124dce8a522d6edab9174ac7aa4615644d92504694dd2d76917aec9736e430f66207d697e0157855d9d00e6bb475845833382836157df89aae19fcabaa06739166
-
Filesize
194KB
MD5d9360632962b8f895b4f33b76de6438e
SHA10a205e7d5436f0914a3000de9801424625a2eda4
SHA2561b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
SHA5124dce8a522d6edab9174ac7aa4615644d92504694dd2d76917aec9736e430f66207d697e0157855d9d00e6bb475845833382836157df89aae19fcabaa06739166
-
Filesize
194KB
MD5d9360632962b8f895b4f33b76de6438e
SHA10a205e7d5436f0914a3000de9801424625a2eda4
SHA2561b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
SHA5124dce8a522d6edab9174ac7aa4615644d92504694dd2d76917aec9736e430f66207d697e0157855d9d00e6bb475845833382836157df89aae19fcabaa06739166
-
Filesize
194KB
MD5d9360632962b8f895b4f33b76de6438e
SHA10a205e7d5436f0914a3000de9801424625a2eda4
SHA2561b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
SHA5124dce8a522d6edab9174ac7aa4615644d92504694dd2d76917aec9736e430f66207d697e0157855d9d00e6bb475845833382836157df89aae19fcabaa06739166
-
Filesize
194KB
MD5d9360632962b8f895b4f33b76de6438e
SHA10a205e7d5436f0914a3000de9801424625a2eda4
SHA2561b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
SHA5124dce8a522d6edab9174ac7aa4615644d92504694dd2d76917aec9736e430f66207d697e0157855d9d00e6bb475845833382836157df89aae19fcabaa06739166