hxxp://mydhl[.]express[.]dhl

Analysis

max time kernel
159s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mydhl.express.dhl

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133475091885983825"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1000	chrome.exe
1000	chrome.exe
3176	chrome.exe
3176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe
Token: SeShutdownPrivilege	1000	chrome.exe
Token: SeCreatePagefilePrivilege	1000	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe
1000	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4648	1000	chrome.exe	87
PID 1000 wrote to memory of 4648	1000	chrome.exe	87
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 1516	1000	chrome.exe	89
PID 1000 wrote to memory of 5072	1000	chrome.exe	90
PID 1000 wrote to memory of 5072	1000	chrome.exe	90
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91
PID 1000 wrote to memory of 1052	1000	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://mydhl.express.dhl
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc91589758,0x7ffc91589768,0x7ffc91589778
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4564 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1888,i,4880372144546437789,7826925264746024233,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
6336120ee08799a99bed687b39367662

SHA1
b7b612e3d7c971fa0663f9ea0647902e84b2d6a0

SHA256
17a83573f1b40edcb627f8bbfb912e97d92b8168e7354fcfd5a5bb18999613ba

SHA512
1af21fba99b2e22cfd2e9fa2693f7bcea073cc6b000880d986edbd95be60612e5ac27c862d12ec5bf35109df88ec933f80f7ea537e0d1a14152f26cbe9529062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
78816aa0fa6b3ac0106eabc5c16a60d2

SHA1
cc3683ba04d4a41852573b04cf4899326c70b6ff

SHA256
57f5f8ad64aed5d0eb58927e3143c9b7a96600da5311ca4f3c6599d1b9205549

SHA512
fa2165f3e8acc2927e121bc93dfb1270b704c0a537296f47c2b3c0bef0dab1a72bbf2ca7abf0624832b09e876ca50adb639bfa59ff4dbed9b0f4c2b71c2a745e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
337695316c7477b4a531ae66474beede

SHA1
1248217a0918e57832a724a298409a61b73a4a66

SHA256
9d3cdaaefe84479442e9a9c13d44da6fcf1b6a3b5baa0b3c2dfa38ac34274fbe

SHA512
f757ac4f507f125c84d9e6a97e3f16042d53fe2c8ad00f6a37f3b610f2c2b8b6b8d29106b5dfb0b05b962e9a1d61eeef85fa31c0b828ce58cc75bfd821c8b665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fedd0b569ce9cbb895d0ba96afd4148

SHA1
c1060f768f9c90c01a3adca0b4108892677f0079

SHA256
e03bcf2d652719859802ff197680fa26cb439834e54b47e9e8aa168f9eab948f

SHA512
096137d423da4feb04796bd3c7165b17566b19c0616c155dc4b8178143e222f69dcb12180bccd3a46d996802d965750faf65aa1cd1866c1ba71339fe4c605967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
f6f46059dbfeef35b0a4a055f973edfc

SHA1
275eb571e9b10b03b7a08c8bd94fa9b412558091

SHA256
8adbf38a1d028f9b8b7e39b6cbe490f8b747985edc6daeb6bc74b48f7176bd95

SHA512
920d8c4daf94f59fc266fead15f28562533fb5777f2a8d122f9ed0b06ec52f6754ecb37de3966a14f6c95fa8b170a1433aeb5626bbe335003b4e266e02087bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit