Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
-
Size
652KB
-
MD5
3783014e89435e8f979155435933d4f0
-
SHA1
c711fb0d97d5d363e241ed5532c6331e0fe8aa57
-
SHA256
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
-
SHA512
611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010
-
SSDEEP
12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 3208 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 3208 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 3208 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 1524 set thread context of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 3208 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 1524 wrote to memory of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1524 wrote to memory of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1524 wrote to memory of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1524 wrote to memory of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 1524 wrote to memory of 3208 1524 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc3772787eb239ef4d0399680dcc4343
SHA1db2fa99ec967178cd8057a14a428a8439a961a73
SHA2569b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA51279e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89
-
Filesize
1KB
MD5568282ba8e9951c32017a5aa8f76e805
SHA1d918825965fe1e94f279f75def6041a7a88fc89b
SHA256e8c00c8ad4e88de10506a0d70afa1399af3fad0704573066b5b2321e1a28540f
SHA51221d099f541abbda6b50b0564dbc257a741eebe8a990f8aabbbba191ca37543870a6d1fe61468db0b60cc41250c37f49a3b89cd6e03bb0666cdeb4a861d28f96e