Analysis Overview
SHA256
dd7243dc57f78c2a9d515760aed44ff332a281f7e06c37f1b95887cff94a94a8
Threat Level: Likely malicious
The file 10062024_1326_09062024_DHL Package.zip was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 13:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 13:26
Reported
2024-06-10 13:30
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2992 set thread context of 2336 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\boltholes.obl | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DHL Package.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Uropfrer=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del';$Skoleudgavers=$Uropfrer.SubString(54521,3);.$Skoleudgavers($Uropfrer)"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
"C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
| US | 8.8.8.8:53 | sa.columbrara.za.com | udp |
Files
memory/2992-8-0x0000000073691000-0x0000000073692000-memory.dmp
memory/2992-9-0x0000000073690000-0x0000000073C3B000-memory.dmp
memory/2992-11-0x0000000073690000-0x0000000073C3B000-memory.dmp
memory/2992-12-0x0000000073690000-0x0000000073C3B000-memory.dmp
memory/2992-10-0x0000000073690000-0x0000000073C3B000-memory.dmp
C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del
| MD5 | b1bf3757ba661c2fc29713ddaa598605 |
| SHA1 | 5c77e7e505aa16a208499b1a67089bcdba3d349b |
| SHA256 | c8a6d8bb0a194f855387ef00c86f0016c1ba489eb7b6dc729af5853157d418c9 |
| SHA512 | 06a766ab5d297082781db399571d458202bdf155ad1415de5bc453753b640dfba5c9c47047e0aefd964bc6b31a7161e50723a67db4c93276bc35c01412c1d40a |
C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Timianernes.Vel
| MD5 | 77c2017d3aab930e712847c30d7d5764 |
| SHA1 | f27a330028667e527305448d0a94913e3282c821 |
| SHA256 | 9691d68779acccfebf0288f52c0becadf1aa9616c78eefa4c3cab657af0d9cee |
| SHA512 | b8d15d0ed28792a921fbdb18b3d4017b1a76ae2f37cb4bc009b5517c050cdaba864e11549652036c88d56fbb31a4997343c64c7abb4265de82b86a7b848aa44a |
memory/2992-16-0x0000000006410000-0x000000000BF8E000-memory.dmp
\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
| MD5 | 057849d89c720ddae62b9006fd7587f9 |
| SHA1 | 66c5732d79b3514e7e98ac01a25b3362f82b5eed |
| SHA256 | dd838e0ad2d227d581a04b9968609c1cf78f8570bcc36fe7abf176ec36d2b5e5 |
| SHA512 | f169462b72e8cf5263b79a8796ab95c2a3d144022e7d34efb911bf5d4cb1c23cb319a060b8688214c183d4fc906cd42f61756b62bbd4e872acf153d104031b90 |
memory/2992-21-0x0000000073690000-0x0000000073C3B000-memory.dmp
memory/2336-22-0x0000000000460000-0x00000000014C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 13:26
Reported
2024-06-10 13:29
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\boltholes.obl | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2500 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2500 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2500 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL Package.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2188 wrote to memory of 2120 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2188 wrote to memory of 2120 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2188 wrote to memory of 2120 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DHL Package.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Uropfrer=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del';$Skoleudgavers=$Uropfrer.SubString(54521,3);.$Skoleudgavers($Uropfrer)"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2188 -ip 2188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 2556
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2188-6-0x0000000073E7E000-0x0000000073E7F000-memory.dmp
memory/2188-7-0x0000000004540000-0x0000000004576000-memory.dmp
memory/2188-8-0x0000000004CA0000-0x00000000052C8000-memory.dmp
memory/2188-9-0x0000000073E70000-0x0000000074620000-memory.dmp
memory/2188-10-0x0000000073E70000-0x0000000074620000-memory.dmp
memory/2188-11-0x0000000004C50000-0x0000000004C72000-memory.dmp
memory/2188-12-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/2188-13-0x00000000054B0000-0x0000000005516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2juaha0.dzb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2188-23-0x0000000005620000-0x0000000005974000-memory.dmp
memory/2188-24-0x0000000005B30000-0x0000000005B4E000-memory.dmp
memory/2188-25-0x0000000005B60000-0x0000000005BAC000-memory.dmp
memory/2188-26-0x0000000006B00000-0x0000000006B96000-memory.dmp
memory/2188-27-0x0000000006030000-0x000000000604A000-memory.dmp
memory/2188-28-0x0000000006080000-0x00000000060A2000-memory.dmp
memory/2188-29-0x0000000007150000-0x00000000076F4000-memory.dmp
C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del
| MD5 | b1bf3757ba661c2fc29713ddaa598605 |
| SHA1 | 5c77e7e505aa16a208499b1a67089bcdba3d349b |
| SHA256 | c8a6d8bb0a194f855387ef00c86f0016c1ba489eb7b6dc729af5853157d418c9 |
| SHA512 | 06a766ab5d297082781db399571d458202bdf155ad1415de5bc453753b640dfba5c9c47047e0aefd964bc6b31a7161e50723a67db4c93276bc35c01412c1d40a |
memory/2188-31-0x0000000007D80000-0x00000000083FA000-memory.dmp
memory/2188-33-0x0000000073E70000-0x0000000074620000-memory.dmp