d4965c645437bdfb5eaf7eed2175fe89501fd437bede13cc91de0f36a3c745cd

Analysis

max time kernel
133s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL INTERNATIONAL AWB#87355432189 PDF.exe
Size

872KB
MD5

56be22ccd46d1f1ea43ff693729eced3
SHA1

875df1a72db7bdab88e38d240b62cefd6683203d
SHA256

d4965c645437bdfb5eaf7eed2175fe89501fd437bede13cc91de0f36a3c745cd
SHA512

cad055009f45da6f2b2181786c2e36d12686c9904e38a8e0e81bf134f6f51659e320f3b5da225f5c670c95c56a4784e565235520d128ec4e4d2f2a6310acfadb
SSDEEP

24576:3tqRLCyDRdM0SwcSYVPnthjXokXNcdE4q:dqRrDRbv8/tKZd+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

pid process

3404 DHL INTERNATIONAL AWB#87355432189 PDF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exeDHL INTERNATIONAL AWB#87355432189 PDF.exe

pid process

3404 DHL INTERNATIONAL AWB#87355432189 PDF.exe
3912 DHL INTERNATIONAL AWB#87355432189 PDF.exe

pid	process
3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe

pid	process
3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe
3912	DHL INTERNATIONAL AWB#87355432189 PDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

description	pid	process	target process
PID 3404 set thread context of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe

Drops file in Program Files directory 1 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

description ioc process

File opened for modification C:\Program Files (x86)\slippersernes.ini DHL INTERNATIONAL AWB#87355432189 PDF.exe
Drops file in Windows directory 1 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

description ioc process

File created C:\Windows\retsstaten\bondeangerens.lnk DHL INTERNATIONAL AWB#87355432189 PDF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\slippersernes.ini	DHL INTERNATIONAL AWB#87355432189 PDF.exe

description	ioc	process
File created	C:\Windows\retsstaten\bondeangerens.lnk	DHL INTERNATIONAL AWB#87355432189 PDF.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4516	3912	WerFault.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe
3928	3912	WerFault.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

pid process

3404 DHL INTERNATIONAL AWB#87355432189 PDF.exe

pid	process
3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

DHL INTERNATIONAL AWB#87355432189 PDF.exe

description	pid	process	target process
PID 3404 wrote to memory of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe
PID 3404 wrote to memory of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe
PID 3404 wrote to memory of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe
PID 3404 wrote to memory of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe
PID 3404 wrote to memory of 3912	3404	DHL INTERNATIONAL AWB#87355432189 PDF.exe	DHL INTERNATIONAL AWB#87355432189 PDF.exe

C:\Users\Admin\AppData\Local\Temp\DHL INTERNATIONAL AWB#87355432189 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL INTERNATIONAL AWB#87355432189 PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\DHL INTERNATIONAL AWB#87355432189 PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL INTERNATIONAL AWB#87355432189 PDF.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1148
    3⤵
    - Program crash
    PID:4516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1160
    3⤵
    - Program crash
    PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3912 -ip 3912
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3912 -ip 3912
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj3516.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/3404-10-0x0000000077351000-0x0000000077471000-memory.dmp

Filesize
1.1MB

Download
memory/3404-11-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3912-12-0x00000000773D8000-0x00000000773D9000-memory.dmp

Filesize
4KB

Download
memory/3912-13-0x00000000773F5000-0x00000000773F6000-memory.dmp

Filesize
4KB

Download
memory/3912-14-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/3912-16-0x0000000077351000-0x0000000077471000-memory.dmp

Filesize
1.1MB

Download