a6a70039baf8a4bd93003cd57d2a132c3b324e88a5b0b2c873147f44cd72c583

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Express shipment delivery doc pdf.exe
Size

1.2MB
MD5

f094676f389c05b6a2cd1a2bb1c3dc37
SHA1

2c74346628b07892f93abfa39f7afbead0176b82
SHA256

a6a70039baf8a4bd93003cd57d2a132c3b324e88a5b0b2c873147f44cd72c583
SHA512

dbf750bd27d04f0adf79e918df2d0688ccf3bb293471545901f9b71f43c12bb9f878cbbd0e4e63525ab218236c252ef93156c29e93a60e3651d6ba681ca2726b
SSDEEP

24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8aIXi5r17FDIpy:wTvC/MTQYxsWR7aIS91ZIp

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4160 set thread context of 2396	4160	DHL Express shipment delivery doc pdf.exe	92
PID 2396 set thread context of 3332	2396	svchost.exe	57
PID 2396 set thread context of 3608	2396	svchost.exe	101
PID 3608 set thread context of 3332	3608	HOSTNAME.EXE	57

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	HOSTNAME.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4160	DHL Express shipment delivery doc pdf.exe
2396	svchost.exe
3332	Explorer.EXE
3332	Explorer.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE
3608	HOSTNAME.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2396	4160	DHL Express shipment delivery doc pdf.exe	92
PID 4160 wrote to memory of 2396	4160	DHL Express shipment delivery doc pdf.exe	92
PID 4160 wrote to memory of 2396	4160	DHL Express shipment delivery doc pdf.exe	92
PID 4160 wrote to memory of 2396	4160	DHL Express shipment delivery doc pdf.exe	92
PID 3332 wrote to memory of 3608	3332	Explorer.EXE	101
PID 3332 wrote to memory of 3608	3332	Explorer.EXE	101
PID 3332 wrote to memory of 3608	3332	Explorer.EXE	101
PID 3608 wrote to memory of 1384	3608	HOSTNAME.EXE	103
PID 3608 wrote to memory of 1384	3608	HOSTNAME.EXE	103
PID 3608 wrote to memory of 1384	3608	HOSTNAME.EXE	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Express shipment delivery doc pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2396
- C:\Windows\SysWOW64\HOSTNAME.EXE
  "C:\Windows\SysWOW64\HOSTNAME.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3464 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut142F.tmp

Filesize
250KB

MD5
2d9766d456088aaf371165cc41d00fd2

SHA1
73bc7bed6d01c3209d5827bcb7067b4cde6821a1

SHA256
d2ae296eb373e19647abefa91799dfb3f8269c04bcb3518c226d58cb88afcf60

SHA512
6386f7a51b31b8017f63ff67cce893ad3e2df0b6f7004726ccb7b3b9b5b06b91ac67257c09a2665ef103732fec709de348dc530b2729eca32cf8fea8a29d313b

Download Submit
memory/2396-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-14-0x0000000001900000-0x0000000001C4A000-memory.dmp

Filesize
3.3MB

Download
memory/2396-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-18-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/2396-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-23-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/3332-27-0x000000000D240000-0x00000000103A4000-memory.dmp

Filesize
49.4MB

Download
memory/3332-19-0x000000000D240000-0x00000000103A4000-memory.dmp

Filesize
49.4MB

Download
memory/3332-31-0x0000000002B60000-0x0000000002C42000-memory.dmp

Filesize
904KB

Download
memory/3332-37-0x0000000002B60000-0x0000000002C42000-memory.dmp

Filesize
904KB

Download
memory/3332-30-0x0000000002B60000-0x0000000002C42000-memory.dmp

Filesize
904KB

Download
memory/3608-21-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/3608-26-0x00000000009F0000-0x0000000000A91000-memory.dmp

Filesize
644KB

Download
memory/3608-25-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/3608-28-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/3608-29-0x00000000009F0000-0x0000000000A91000-memory.dmp

Filesize
644KB

Download
memory/3608-24-0x0000000000C90000-0x0000000000FDA000-memory.dmp

Filesize
3.3MB

Download
memory/3608-20-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/4160-12-0x0000000000A60000-0x0000000000A64000-memory.dmp

Filesize
16KB

Download