ea4a760a5fe1ba67561424153c950696658416239d04274d35a527d7ba37179d

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Receipt 004673321/DHL Receipt 004673321.pdf.exe
Size

300.0MB
MD5

3f550e2404750bee9767c47ac42324ba
SHA1

7ce5b605f6ed25eca0243d9ac09a0b231cc9c3dc
SHA256

859d964cf907965c62903bddeb0667d570139bdb6b8fd0113d430b5f48cc7d52
SHA512

3e925a0036f71e4649da08e88ab80b816132f5d596189eaea04e95744ba2fa3180887f404a489b0e5dd4e32361e0e7dc29c272f391067094e4e0efa779c50058
SSDEEP

24576:xA2q55503nejbo6m7JkWao7AwnNxADGq/OCemti9vMY6TtyC:U5550sbyiWaw565tYct

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL Receipt 004673321.pdf.exe

description pid process

Token: SeDebugPrivilege 1692 DHL Receipt 004673321.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1692	DHL Receipt 004673321.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DHL Receipt 004673321.pdf.execsc.exe

description	pid	process	target process
PID 1692 wrote to memory of 1364	1692	DHL Receipt 004673321.pdf.exe	csc.exe
PID 1692 wrote to memory of 1364	1692	DHL Receipt 004673321.pdf.exe	csc.exe
PID 1692 wrote to memory of 1364	1692	DHL Receipt 004673321.pdf.exe	csc.exe
PID 1364 wrote to memory of 1956	1364	csc.exe	cvtres.exe
PID 1364 wrote to memory of 1956	1364	csc.exe	cvtres.exe
PID 1364 wrote to memory of 1956	1364	csc.exe	cvtres.exe
PID 1692 wrote to memory of 2548	1692	DHL Receipt 004673321.pdf.exe	WerFault.exe
PID 1692 wrote to memory of 2548	1692	DHL Receipt 004673321.pdf.exe	WerFault.exe
PID 1692 wrote to memory of 2548	1692	DHL Receipt 004673321.pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DHL Receipt 004673321\DHL Receipt 004673321.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Receipt 004673321\DHL Receipt 004673321.pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giqkqhbh\giqkqhbh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp" "c:\Users\Admin\AppData\Local\Temp\giqkqhbh\CSC2F87330636B42848315B818ACA26732.TMP"
3⤵
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1692 -s 608
2⤵
PID:2548

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFA27.tmp
Filesize
1KB

MD5
7bbbe7d1b809d42641bd8b37edb1cc30

SHA1
a3fac695a50d03c3104b0b12bb91fe0e9583b4d5

SHA256
782bb7384c7c1aa9aeddda868bc2e791fa8117c41372e7de615a6c48b373f797

SHA512
4e4fd524d6aa085708c246b88b4e558736e8876c25d3a479984c80f9f378745b09da62b83513535eb0f621c5deb348fa93a98e28e0d63feb4173eb9eb15803c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\giqkqhbh\giqkqhbh.dll
Filesize
6KB

MD5
54c4db3bf6bf278bf56ff7d357380568

SHA1
87a1b8fd6cc069778e5634cd09f1b92be5034efc

SHA256
f84fb23c3c19ec6f2b5a35d6abfa1c54e7bfc26d5a3d34785a979f212be76ada

SHA512
2cb1c5dda630437a84241d7a2f15e2a870b10712b57279173466ebb74d06c473cb62c1523550392783aa9fea283cb9c1e14cc02ef42f72afa362166221f5317f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giqkqhbh\CSC2F87330636B42848315B818ACA26732.TMP
Filesize
652B

MD5
d56c35f898412076549ed8b37a26307a

SHA1
7005ea05bc052ef95a7684d572b65c54aa2ed447

SHA256
604d56eea9ea813f9e5b29397dea2496be5983471803b8ff3221597c9b46b844

SHA512
4bcab2b75abeb8bf726041b3aa8d63826703bafe4449a2868defd5b8a4c58870b74c3fb83a71c44195f5c936bc93c0732e8a3e008d5ed3ac011995a659d35b71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giqkqhbh\giqkqhbh.0.cs
Filesize
4KB

MD5
d784666bd143ad91647f8e799749e071

SHA1
706389c04825f2e12a24d00f67ea7140cdccf4ef

SHA256
3bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6

SHA512
c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giqkqhbh\giqkqhbh.cmdline
Filesize
366B

MD5
f62533707717cd55c9c93e23a1c35da4

SHA1
2f40e7092e09ff5b5ea56055904d9937a86e9402

SHA256
c137dd880311fac540c71fb7f8aa5e26c63e72aa269d77e95d6403ce5bf9cdcb

SHA512
1725acd9f7d0c8618bafd22a3160c219e6611da7fc8fde9c51c8a292ce5d2097da4f1b66b8868c4a331a9494104f77ca50e4731a6ac06c8c73778af2d8556cda

Download Submit
memory/1692-0-0x0000000000300000-0x000000000038C000-memory.dmp

Filesize
560KB

Download
memory/1692-1-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-2-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/1692-3-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-16-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads