Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 14:17
Static task
static1
Behavioral task
behavioral1
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
-
Size
652KB
-
MD5
3783014e89435e8f979155435933d4f0
-
SHA1
c711fb0d97d5d363e241ed5532c6331e0fe8aa57
-
SHA256
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
-
SHA512
611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010
-
SSDEEP
12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1612-304-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/1612-306-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/1612-323-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2068-305-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2068-314-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2068-305-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1612-304-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2208-310-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2208-309-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1612-306-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2208-313-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2068-314-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1612-323-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Loads dropped DLL 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 2228 set thread context of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 set thread context of 2068 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 set thread context of 1612 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 set thread context of 2208 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process Token: SeDebugPrivilege 2208 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2228 wrote to memory of 1560 2228 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2068 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2068 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2068 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2068 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 1612 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 1612 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 1612 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 1612 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2208 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2208 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2208 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1560 wrote to memory of 2208 1560 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\xhckfpnjcmqcgwkdrbfsuvctzwzcqqxnyq"3⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibhvgi"3⤵
- Accesses Microsoft Outlook accounts
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\sdvohsjfmc"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7587f5155c372c444f16a4440646869
SHA117e3b2a17cf705a5446d5a64661adcd53d3849f8
SHA256d34f554d253fc59e51ce24fe37ff1b71588a299f720ad67312e5701eb270c6f2
SHA5129c13e79fe47e21c9405877ccc85c5e91843e26ec5afa4b2dc43b1a1c18a66875b224b3586dec182e3587ffdefd297a620aaf2720f26818ace95d620a987f62ca
-
Filesize
11KB
MD5fc3772787eb239ef4d0399680dcc4343
SHA1db2fa99ec967178cd8057a14a428a8439a961a73
SHA2569b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA51279e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89