a6a70039baf8a4bd93003cd57d2a132c3b324e88a5b0b2c873147f44cd72c583

General

Target

DHL Express shipment delivery doc pdf.exe
Size

1.2MB
MD5

f094676f389c05b6a2cd1a2bb1c3dc37
SHA1

2c74346628b07892f93abfa39f7afbead0176b82
SHA256

a6a70039baf8a4bd93003cd57d2a132c3b324e88a5b0b2c873147f44cd72c583
SHA512

dbf750bd27d04f0adf79e918df2d0688ccf3bb293471545901f9b71f43c12bb9f878cbbd0e4e63525ab218236c252ef93156c29e93a60e3651d6ba681ca2726b
SSDEEP

24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8aIXi5r17FDIpy:wTvC/MTQYxsWR7aIS91ZIp

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 2656 set thread context of 1196	2656	svchost.exe	21
PID 2656 set thread context of 2392	2656	svchost.exe	29
PID 2392 set thread context of 1196	2392	HOSTNAME.EXE	21

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2468	DHL Express shipment delivery doc pdf.exe
2656	svchost.exe
1196	Explorer.EXE
1196	Explorer.EXE
2392	HOSTNAME.EXE
2392	HOSTNAME.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 2468 wrote to memory of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 2468 wrote to memory of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 2468 wrote to memory of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 2468 wrote to memory of 2656	2468	DHL Express shipment delivery doc pdf.exe	28
PID 1196 wrote to memory of 2392	1196	Explorer.EXE	29
PID 1196 wrote to memory of 2392	1196	Explorer.EXE	29
PID 1196 wrote to memory of 2392	1196	Explorer.EXE	29
PID 1196 wrote to memory of 2392	1196	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2656
- C:\Windows\SysWOW64\HOSTNAME.EXE
  "C:\Windows\SysWOW64\HOSTNAME.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bohmite

Filesize
250KB

MD5
2d9766d456088aaf371165cc41d00fd2

SHA1
73bc7bed6d01c3209d5827bcb7067b4cde6821a1

SHA256
d2ae296eb373e19647abefa91799dfb3f8269c04bcb3518c226d58cb88afcf60

SHA512
6386f7a51b31b8017f63ff67cce893ad3e2df0b6f7004726ccb7b3b9b5b06b91ac67257c09a2665ef103732fec709de348dc530b2729eca32cf8fea8a29d313b

Download Submit
memory/1196-27-0x0000000008CD0000-0x000000000A893000-memory.dmp

Filesize
27.8MB

Download
memory/1196-18-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/1196-19-0x0000000008CD0000-0x000000000A893000-memory.dmp

Filesize
27.8MB

Download
memory/2392-21-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2392-28-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2392-26-0x0000000000630000-0x00000000006D1000-memory.dmp

Filesize
644KB

Download
memory/2392-25-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2392-24-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/2392-20-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2468-11-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/2656-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-23-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/2656-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-17-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/2656-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-13-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/2656-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing