Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping DOC_987796013270.exe
Resource
win7-20240705-en
General
-
Target
DHL Shipping DOC_987796013270.exe
-
Size
645KB
-
MD5
51d304a31d64e8975c2cdfad3367f686
-
SHA1
8cc59a68e3f6f6ada93abfbaeae2b6dc698cd085
-
SHA256
a4de39a318f8fb37cf0ac7f320a6cf7f8b68a403ea26d3c5f8b82630f6693b70
-
SHA512
e6158154334f211333430791dce7d90622b0cd90672607a2e3e1ac075b64c89c9313a0bc82196d6bbc80f036022b670fa35e6d7952d87b3e4566eeda2c0f9d59
-
SSDEEP
12288:b51eKYx6+DaBbWTYoFnXFqdXKr87wgI7gY10ZAYbmOLPbIQdRlF6v/kR:jUo+uBsFBFMXU87QgYWaYbmOLhRv6va
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2940-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2736-90-0x0000000000AD0000-0x0000000000AFF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 512 powershell.exe 1444 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL Shipping DOC_987796013270.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation DHL Shipping DOC_987796013270.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL Shipping DOC_987796013270.exeDHL Shipping DOC_987796013270.execmmon32.exedescription pid process target process PID 544 set thread context of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 2940 set thread context of 3512 2940 DHL Shipping DOC_987796013270.exe Explorer.EXE PID 2736 set thread context of 3512 2736 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeDHL Shipping DOC_987796013270.exeDHL Shipping DOC_987796013270.execmmon32.exepid process 1444 powershell.exe 1444 powershell.exe 512 powershell.exe 512 powershell.exe 544 DHL Shipping DOC_987796013270.exe 544 DHL Shipping DOC_987796013270.exe 544 DHL Shipping DOC_987796013270.exe 544 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 512 powershell.exe 1444 powershell.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe 2736 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL Shipping DOC_987796013270.execmmon32.exepid process 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2940 DHL Shipping DOC_987796013270.exe 2736 cmmon32.exe 2736 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
powershell.exepowershell.exeDHL Shipping DOC_987796013270.exeDHL Shipping DOC_987796013270.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 512 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 544 DHL Shipping DOC_987796013270.exe Token: SeDebugPrivilege 2940 DHL Shipping DOC_987796013270.exe Token: SeDebugPrivilege 2736 cmmon32.exe Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE Token: SeShutdownPrivilege 3512 Explorer.EXE Token: SeCreatePagefilePrivilege 3512 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3512 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
DHL Shipping DOC_987796013270.exeExplorer.EXEcmmon32.exedescription pid process target process PID 544 wrote to memory of 512 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 512 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 512 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 1444 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 1444 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 1444 544 DHL Shipping DOC_987796013270.exe powershell.exe PID 544 wrote to memory of 700 544 DHL Shipping DOC_987796013270.exe schtasks.exe PID 544 wrote to memory of 700 544 DHL Shipping DOC_987796013270.exe schtasks.exe PID 544 wrote to memory of 700 544 DHL Shipping DOC_987796013270.exe schtasks.exe PID 544 wrote to memory of 1304 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 1304 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 1304 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 3588 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 3588 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 3588 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 544 wrote to memory of 2940 544 DHL Shipping DOC_987796013270.exe DHL Shipping DOC_987796013270.exe PID 3512 wrote to memory of 2736 3512 Explorer.EXE cmmon32.exe PID 3512 wrote to memory of 2736 3512 Explorer.EXE cmmon32.exe PID 3512 wrote to memory of 2736 3512 Explorer.EXE cmmon32.exe PID 2736 wrote to memory of 4388 2736 cmmon32.exe cmd.exe PID 2736 wrote to memory of 4388 2736 cmmon32.exe cmd.exe PID 2736 wrote to memory of 4388 2736 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YNTqAcPAvosK.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNTqAcPAvosK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE00F.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:700 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Shipping DOC_987796013270.exe"3⤵PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD56504f47b0f640112363e029c5e4ae4a5
SHA1c09ce76d76f308974111f30b4b73b2fd06e58f54
SHA2568d0421965ee588cf7c94239516e1f9c603296aa7214658ab0962a58a58f08f96
SHA512b1ae20be42d491357e5540f8342eeabf896e03e8af84a8aa91ed15c85224751f03eba60fce1a8eab85eac71d77da6c28a0cd863c9ae0fe05f25a1cba15bbc9cc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b179bb95d0eecac696e6e5df8996daa5
SHA1cbedf4b6e46e79a18a9a3fc4ca675580df9b5874
SHA256329531979452148e44e5955b829b97f4464b5f18c8851468d37197b88a4c6fca
SHA512c6b1b48eca7fda0c6f5cefafbfa497e9e64b4865912f7f54e5bb99281dd5f96a6279ac20f10af687c94596c841124d69ce3dd47acc4c276486d5aa0602e8761b