Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:07
Static task
static1
Behavioral task
behavioral1
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
-
Size
652KB
-
MD5
3783014e89435e8f979155435933d4f0
-
SHA1
c711fb0d97d5d363e241ed5532c6331e0fe8aa57
-
SHA256
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
-
SHA512
611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010
-
SSDEEP
12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4584-398-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4584-392-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4212-393-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4212-406-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4584-398-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/628-399-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/628-397-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/628-396-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4584-392-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4212-393-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4212-406-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Loads dropped DLL 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 3608 set thread context of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 set thread context of 4212 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 set thread context of 4584 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 set thread context of 628 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 4212 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 4212 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 628 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 628 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 4212 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 4212 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process Token: SeDebugPrivilege 628 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exepid process 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
dhl_awb_shipping_invoice_21_05_2024_000000000000024.exedhl_awb_shipping_invoice_21_05_2024_000000000000024.exedescription pid process target process PID 3608 wrote to memory of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 3608 wrote to memory of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 3608 wrote to memory of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 3608 wrote to memory of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 3608 wrote to memory of 2952 3608 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4212 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4212 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4212 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4584 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4584 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 4584 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 628 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 628 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe PID 2952 wrote to memory of 628 2952 dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\viisaiosdpftborhk"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\flvlbszlrxxymvnttoiro"3⤵
- Accesses Microsoft Outlook accounts
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeC:\Users\Admin\AppData\Local\Temp\dhl_awb_shipping_invoice_21_05_2024_000000000000024.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfadulknffpcobcxczctzdbv"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc3772787eb239ef4d0399680dcc4343
SHA1db2fa99ec967178cd8057a14a428a8439a961a73
SHA2569b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA51279e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89
-
Filesize
4KB
MD573ddf6cd83c2ad8a2fbb2383e322ffbc
SHA105270f8bb7b5cc6ab9a61ae7453d047379089147
SHA2560ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409
SHA512714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d
-
Filesize
1KB
MD5d198743e1f9c150aa9c4ca4d77651cf8
SHA1319fffd55bd06999712b8b2aca83e5c5dac0c080
SHA25609ea038f2a9171f785e715dc1417eadbba925ca6a86fa23163a162236b6a4953
SHA512804dbc29ba3dcb7ca5827c030dedc3de3a2df9fb71f3415ae19004c79c9e148f9e30a52531333650041729037e57e3b7d7d8bbae60448cd628d8791824841089