Analysis
-
max time kernel
148s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping DOC_987796013270.exe
Resource
win7-20240705-en
General
-
Target
DHL Shipping DOC_987796013270.exe
-
Size
645KB
-
MD5
51d304a31d64e8975c2cdfad3367f686
-
SHA1
8cc59a68e3f6f6ada93abfbaeae2b6dc698cd085
-
SHA256
a4de39a318f8fb37cf0ac7f320a6cf7f8b68a403ea26d3c5f8b82630f6693b70
-
SHA512
e6158154334f211333430791dce7d90622b0cd90672607a2e3e1ac075b64c89c9313a0bc82196d6bbc80f036022b670fa35e6d7952d87b3e4566eeda2c0f9d59
-
SSDEEP
12288:b51eKYx6+DaBbWTYoFnXFqdXKr87wgI7gY10ZAYbmOLPbIQdRlF6v/kR:jUo+uBsFBFMXU87QgYWaYbmOLhRv6va
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2808-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2664-28-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2280 powershell.exe 2864 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1076 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Shipping DOC_987796013270.exeDHL Shipping DOC_987796013270.execscript.exedescription pid process target process PID 3068 set thread context of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 2808 set thread context of 1244 2808 DHL Shipping DOC_987796013270.exe Explorer.EXE PID 2664 set thread context of 1244 2664 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
DHL Shipping DOC_987796013270.exepowershell.exepowershell.execscript.exepid process 2808 DHL Shipping DOC_987796013270.exe 2808 DHL Shipping DOC_987796013270.exe 2864 powershell.exe 2280 powershell.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe 2664 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Shipping DOC_987796013270.execscript.exepid process 2808 DHL Shipping DOC_987796013270.exe 2808 DHL Shipping DOC_987796013270.exe 2808 DHL Shipping DOC_987796013270.exe 2664 cscript.exe 2664 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
DHL Shipping DOC_987796013270.exepowershell.exepowershell.execscript.exedescription pid process Token: SeDebugPrivilege 2808 DHL Shipping DOC_987796013270.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2664 cscript.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
DHL Shipping DOC_987796013270.exeExplorer.EXEcscript.exedescription pid process target process PID 3068 wrote to memory of 2280 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2280 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2280 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2280 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2864 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2864 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2864 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2864 3068 DHL Shipping DOC_987796013270.exe powershell.exe PID 3068 wrote to memory of 2840 3068 DHL Shipping DOC_987796013270.exe schtasks.exe PID 3068 wrote to memory of 2840 3068 DHL Shipping DOC_987796013270.exe schtasks.exe PID 3068 wrote to memory of 2840 3068 DHL Shipping DOC_987796013270.exe schtasks.exe PID 3068 wrote to memory of 2840 3068 DHL Shipping DOC_987796013270.exe schtasks.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3068 wrote to memory of 2808 3068 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 1244 wrote to memory of 2664 1244 Explorer.EXE cscript.exe PID 1244 wrote to memory of 2664 1244 Explorer.EXE cscript.exe PID 1244 wrote to memory of 2664 1244 Explorer.EXE cscript.exe PID 1244 wrote to memory of 2664 1244 Explorer.EXE cscript.exe PID 2664 wrote to memory of 1076 2664 cscript.exe cmd.exe PID 2664 wrote to memory of 1076 2664 cscript.exe cmd.exe PID 2664 wrote to memory of 1076 2664 cscript.exe cmd.exe PID 2664 wrote to memory of 1076 2664 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YNTqAcPAvosK.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNTqAcPAvosK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13FE.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵
- Deletes itself
PID:1076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55513144a8ae38412850dff4d37167bfd
SHA19fa635e9bd479caf2785116cae76ee65664a4091
SHA256fb2a67b882ee754a25130470a97669ecafab3fbaa708eab427fc73f35661ea1e
SHA512c3b5ad7a16a678ccc6a59ea38573bef6230c059e78d70745646129976eb78e689a29162ec7e44c8d073927eb2594c40f2567481b1a19e8051ba5c715f3ec5878
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59016ac5ad5aa685b4def3fb6c06b8cee
SHA1671d69738a11c0ed9d27f042fe97be01051214b7
SHA256add1b7dec99197818de85fc5deb346a3c39221050ff50bee19cbcbd5f2224680
SHA512547d4781c8658d1e06fb272ec42be62dcfcda0e7d81cab59ff0cd6b613ebb42ae6ebb8359914ae60cfb45661ce3f3c9847277625c7ce12df0030945e2b8fa871