Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
DHL_UOC2_240708172813545.pdf.exe
Resource
win7-20240704-en
General
-
Target
DHL_UOC2_240708172813545.pdf.exe
-
Size
1.0MB
-
MD5
2465ce9d09372c4daf8a9d6d36c11915
-
SHA1
08e205473e1bf912fe01e7183cc4e7f880f0e86c
-
SHA256
fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676
-
SHA512
137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4
-
SSDEEP
24576:EAHnh+eWsN3skA4RV1Hom2KXMmHa4N1hfjVEc5:Th+ZkldoPK8Ya4NvbVX
Malware Config
Extracted
formbook
4.1
rn94
st68v.xyz
conciergenotary.net
qwechaotk.top
rtpdonatoto29.xyz
8ad.xyz
powermove.top
cameras-30514.bond
vanguardcoffee.shop
umoe53fxc1bsujv.buzz
consultoriamax.net
hplxx.com
ndu.wtf
yzh478c.xyz
bigbrown999.site
xiake07.asia
resdai.xyz
the35678.shop
ba6rf.rest
ceo688.com
phimxhot.xyz
010101-11122-2222.cloud
champion-casino-skw.buzz
laku77.bar
popumail.net
stargazerastrology.click
beauty.university
t460.top
sparkyos.app
day2go.net
minrungis.shop
cognigrid.com
abandoned-houses-39863.bond
liderparti.store
hinet.tech
moviemax.live
business-printer-22001.bond
yakintv.pro
longmaosol.xyz
hello4d.dev
vestircool.store
surpriseinside.net
betflixfan.asia
ln2m1.shop
5302mcavt.website
conf-contact.online
31140.ooo
bdkasinoxox.xyz
nicoleb.tech
mainz-cruise-deals.today
run-run.tokyo
practicalfranchises.info
usmanovbanki-uz.space
superlottery.top
zabbet911.bet
ambassadorshipvottings.click
sangforln.tech
expertoffersusa.lat
plong.cloud
cryptoautomata.dev
dq33xa.xyz
handtools-16660.bond
24763wbk.hair
sportswear-30530.bond
lusuidnx.shop
laske.xyz
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3332-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3332-31-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3332-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1240-40-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 43 1240 wscript.exe 50 1240 wscript.exe -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 5072 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
name.exesvchost.exewscript.exedescription pid process target process PID 5072 set thread context of 3332 5072 name.exe svchost.exe PID 3332 set thread context of 3344 3332 svchost.exe Explorer.EXE PID 3332 set thread context of 3344 3332 svchost.exe Explorer.EXE PID 1240 set thread context of 3344 1240 wscript.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
svchost.exewscript.exepid process 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe 1240 wscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
name.exesvchost.exewscript.exepid process 5072 name.exe 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 3332 svchost.exe 1240 wscript.exe 1240 wscript.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
svchost.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3332 svchost.exe Token: SeDebugPrivilege 1240 wscript.exe Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3344 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL_UOC2_240708172813545.pdf.exename.exeExplorer.EXEwscript.exedescription pid process target process PID 1656 wrote to memory of 5072 1656 DHL_UOC2_240708172813545.pdf.exe name.exe PID 1656 wrote to memory of 5072 1656 DHL_UOC2_240708172813545.pdf.exe name.exe PID 1656 wrote to memory of 5072 1656 DHL_UOC2_240708172813545.pdf.exe name.exe PID 5072 wrote to memory of 3332 5072 name.exe svchost.exe PID 5072 wrote to memory of 3332 5072 name.exe svchost.exe PID 5072 wrote to memory of 3332 5072 name.exe svchost.exe PID 5072 wrote to memory of 3332 5072 name.exe svchost.exe PID 3344 wrote to memory of 1240 3344 Explorer.EXE wscript.exe PID 3344 wrote to memory of 1240 3344 Explorer.EXE wscript.exe PID 3344 wrote to memory of 1240 3344 Explorer.EXE wscript.exe PID 1240 wrote to memory of 2324 1240 wscript.exe cmd.exe PID 1240 wrote to memory of 2324 1240 wscript.exe cmd.exe PID 1240 wrote to memory of 2324 1240 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:2324
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD51c95c1e5415911bbac633536ebceabda
SHA12c71566ac288b115b4b94d4b0facfad2f5643483
SHA256475a0354d1eae20ebbdb55e8ba86a4eef341b22246cf202ec834c4af03980a3a
SHA512e606df44ff8871d14ff84ebb0781b15884c2df36100ecd3b7dc9c7407761494a7ab3e9f1ddc8eeecf79d051416ece07fe54a9735738f04bf3a1b8d4be38c43e3
-
Filesize
28KB
MD58de38e7797a6470be9995a7f809b0ce1
SHA1663e73bb07e0aa3927fdab180dbc970f3372d190
SHA256e53119a0212391d5aa8a43826a8a166b46f001ecdff29b4f9f25f231dcaea54d
SHA512c9f7293ead1816f44132daf867ee18fcc744754dac83d4eb2101ff00e2c3a096ade79d766e7a45e12989e13ec93a8a469f82dd8f0b850870bf16cf702756e7eb
-
Filesize
1.0MB
MD52465ce9d09372c4daf8a9d6d36c11915
SHA108e205473e1bf912fe01e7183cc4e7f880f0e86c
SHA256fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676
SHA512137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4