Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:17

General

  • Target

    dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe

  • Size

    652KB

  • MD5

    3783014e89435e8f979155435933d4f0

  • SHA1

    c711fb0d97d5d363e241ed5532c6331e0fe8aa57

  • SHA256

    a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f

  • SHA512

    611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010

  • SSDEEP

    12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
    "C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
      "C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
        C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\dtgtlwrakgmexhfeoibjxcn"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3240
      • C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
        C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnllmobcgoejznbixlwdiphrtsm"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1712
      • C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
        C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\ypqwfgmwuwwwjtqmowielccauyejmj"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dtgtlwrakgmexhfeoibjxcn

    Filesize

    4KB

    MD5

    788d7419b32411807cc6753cbbccecbe

    SHA1

    761b99a1e5bc168f525181d78cff3f6ed82daa14

    SHA256

    76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b

    SHA512

    3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

  • C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\System.dll

    Filesize

    11KB

    MD5

    fc3772787eb239ef4d0399680dcc4343

    SHA1

    db2fa99ec967178cd8057a14a428a8439a961a73

    SHA256

    9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

    SHA512

    79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

  • C:\Users\Admin\Pictures\belejrernes.lnk

    Filesize

    1KB

    MD5

    c588ed4449db458391c2b60996362904

    SHA1

    d0838cc7aa2974c280303489ca32aebbe4f22efb

    SHA256

    dd471e1599acce94724c4322deffd75b637f257b1e7bf025f2b88c5e7fa0fb39

    SHA512

    ffdbfd9e0cb7597d9da9d0f2415d491bfbed3d31e5e729e826f3c904e1c9390fd30fb25e707db97a598bcfb8f95d2526d6156923157505ccb63166a4eafe0748

  • memory/456-344-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/456-353-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/456-340-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/456-343-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/1712-341-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/1712-337-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/1712-350-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/1712-339-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/2408-291-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

  • memory/2408-290-0x0000000077861000-0x0000000077981000-memory.dmp

    Filesize

    1.1MB

  • memory/2564-326-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-371-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-297-0x0000000001710000-0x0000000006F6F000-memory.dmp

    Filesize

    88.4MB

  • memory/2564-301-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-302-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-303-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-304-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-305-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-306-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-307-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-308-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-309-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-310-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-311-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-312-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-313-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-314-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-315-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-316-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-317-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-318-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-320-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-321-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-322-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-323-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-324-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-325-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-299-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-329-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-330-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-331-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-332-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-333-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-334-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-388-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-298-0x00000000004E4000-0x00000000004E5000-memory.dmp

    Filesize

    4KB

  • memory/2564-387-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-386-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-296-0x0000000077861000-0x0000000077981000-memory.dmp

    Filesize

    1.1MB

  • memory/2564-295-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-385-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-293-0x0000000077861000-0x0000000077981000-memory.dmp

    Filesize

    1.1MB

  • memory/2564-384-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-363-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

  • memory/2564-362-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

  • memory/2564-359-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

  • memory/2564-292-0x00000000778E8000-0x00000000778E9000-memory.dmp

    Filesize

    4KB

  • memory/2564-364-0x0000000077861000-0x0000000077981000-memory.dmp

    Filesize

    1.1MB

  • memory/2564-367-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-368-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-369-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-370-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-300-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-372-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-373-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-374-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-375-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-376-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-377-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-378-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-379-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-380-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-381-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-382-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/2564-383-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

  • memory/3240-356-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3240-338-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3240-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3240-336-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3240-342-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB