2ba7aff60ad42d9b35d87a2cd967c59cbee18341165fc33e5083788152b0d1bf

General

Target

DHL consignment number 8807995460.exe
Size

629KB
MD5

55d8677644f510f37ab097baf4892c08
SHA1

eb53fb9badf5d643b6a3ad8ba4ec6cdca014b25b
SHA256

2ba7aff60ad42d9b35d87a2cd967c59cbee18341165fc33e5083788152b0d1bf
SHA512

d2b58a0d03d96a053e951037e93318e42192ea81a9d4f2fd7e11f6cc02bfb66a68fb1ea77132575a99353757df81b33d2679e7693a1010bc70d9616c8cc6bde5
SSDEEP

12288:AVMcthmJ+LckWTLv/rXYwbx7qUt1601dHuQpFeswHT1ltm/KpakWiL7AFnS:HTfLRbx7qmAadzeswHTztm/KHNHqS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2932	nslookup.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2608 set thread context of 1276	2608	DHL consignment number 8807995460.exe	20
PID 2608 set thread context of 2932	2608	DHL consignment number 8807995460.exe	32
PID 2932 set thread context of 1276	2932	nslookup.exe	20

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3618187007-3650799920-3290345941-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	nslookup.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2584	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2608	DHL consignment number 8807995460.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2608	DHL consignment number 8807995460.exe
1276	Explorer.EXE
1276	Explorer.EXE
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe
2932	nslookup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	DHL consignment number 8807995460.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3008	2584	DHL consignment number 8807995460.exe	28
PID 2584 wrote to memory of 3008	2584	DHL consignment number 8807995460.exe	28
PID 2584 wrote to memory of 3008	2584	DHL consignment number 8807995460.exe	28
PID 2584 wrote to memory of 3008	2584	DHL consignment number 8807995460.exe	28
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 2584 wrote to memory of 2608	2584	DHL consignment number 8807995460.exe	29
PID 1276 wrote to memory of 2932	1276	Explorer.EXE	32
PID 1276 wrote to memory of 2932	1276	Explorer.EXE	32
PID 1276 wrote to memory of 2932	1276	Explorer.EXE	32
PID 1276 wrote to memory of 2932	1276	Explorer.EXE	32
PID 2932 wrote to memory of 2420	2932	nslookup.exe	35
PID 2932 wrote to memory of 2420	2932	nslookup.exe	35
PID 2932 wrote to memory of 2420	2932	nslookup.exe	35
PID 2932 wrote to memory of 2420	2932	nslookup.exe	35
PID 2932 wrote to memory of 2420	2932	nslookup.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe"
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL consignment number 8807995460.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2608
- C:\Windows\SysWOW64\nslookup.exe
  "C:\Windows\SysWOW64\nslookup.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\w4jlh.zip

Filesize
422KB

MD5
82949903c2fb1a5eda9181b96800a472

SHA1
b1796bd0c2e7eaed79d1cd8d5dd90e02d491b43d

SHA256
21ebd12c1aa68aa18f4bfdd7ae30d6d321747ee9d91e1d07926d11f2ae84a101

SHA512
c12c980a6778a27f0f9f4266dd8432d5d3f12f3c2a8fa7f760381b3b37c662b71d39274c642e121b78542064e6c9cea48217f808b4ab6a087eb15c27fa02e704

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
807KB

MD5
16a1612789dc9063ebea1cb55433b45b

SHA1
438fde2939bbb9b5b437f64f21c316c17ce4a7f6

SHA256
6deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b

SHA512
d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3

Download Submit
memory/1276-27-0x0000000004E40000-0x0000000004F06000-memory.dmp

Filesize
792KB

Download
memory/1276-19-0x0000000008EE0000-0x000000000BDE6000-memory.dmp

Filesize
47.0MB

Download
memory/1276-32-0x0000000004E40000-0x0000000004F06000-memory.dmp

Filesize
792KB

Download
memory/1276-29-0x0000000008EE0000-0x000000000BDE6000-memory.dmp

Filesize
47.0MB

Download
memory/1276-28-0x0000000004E40000-0x0000000004F06000-memory.dmp

Filesize
792KB

Download
memory/2584-0-0x0000000000EC0000-0x0000000000F64000-memory.dmp

Filesize
656KB

Download
memory/2584-3-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2584-1-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-13-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2584-4-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2584-5-0x00000000052C0000-0x000000000533C000-memory.dmp

Filesize
496KB

Download
memory/2608-18-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/2608-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-23-0x00000000002D0000-0x00000000002F2000-memory.dmp

Filesize
136KB

Download
memory/2608-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-14-0x0000000000780000-0x0000000000A83000-memory.dmp

Filesize
3.0MB

Download
memory/2608-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2932-26-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/2932-25-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2932-30-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2932-31-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/2932-24-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/2932-20-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2932-21-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2932-73-0x0000000061E00000-0x0000000061EB6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing