Analysis

  • max time kernel
    92s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2024, 17:16

General

  • Target

    DHL Original Invoice_pdf.exe

  • Size

    245KB

  • MD5

    3b77ee711a05f071921db953a3940faa

  • SHA1

    5e52987822de91b6b7697534bdce76c122c3cce7

  • SHA256

    00f8d8ce7174e6eaac21ce3278ea4795ed859996c8d09bf6ad189b892fc5e144

  • SHA512

    3cf3ea9bce0c6ecbaee11e613e7bca2f65b34f75068beb0f01f619d8b7cc643fc392bd0842277a1ef4e2d953a24f35b68c41a040c83c41aa858a5796a838600b

  • SSDEEP

    6144:wBlL/cTGU08fsbTu9tbxM3uimcKrFe8N0k:CeTGz8fGqrbxpckT

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Original Invoice_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Original Invoice_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\DHL Original Invoice_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Original Invoice_pdf.exe"
      2⤵
        PID:3236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1004
        2⤵
        • Program crash
        PID:3268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
      1⤵
        PID:3720

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsd4E9E.tmp\svlainqhst.dll

        Filesize

        43KB

        MD5

        fa62ed5f72122a2810809736226c3bc2

        SHA1

        c29eea37c0473260edc4ce2df631eb407b2a66fd

        SHA256

        b5654e645833ac92cf3ab3cb4d2143ac0e7e97cc16a685a7af0bec72d541c3cd

        SHA512

        4156b0ef8e1de1268d075e46ced5c381888abb352ee956fa08c659d723d30128283ed3ba09f42727ce180c7902d3cab78716c207ebc2fc0d0818a6f7b1eb1f2c

      • memory/1720-8-0x0000000010000000-0x000000001000E000-memory.dmp

        Filesize

        56KB