Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB 405986998.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
DHL AWB 405986998.exe
Resource
win10v2004-20240802-en
General
-
Target
DHL AWB 405986998.exe
-
Size
936KB
-
MD5
4b0c7e94c712a92bdb4a84ccef01ac26
-
SHA1
108888e88b8b74ab567874a22abc8513d445678a
-
SHA256
6f00ffaa9b0fe22f4e8e46fc35998010ecabecac8ffbdc4629e1b59372393a6b
-
SHA512
4fa45c2246196ef1ccbd68b4329b3d6f79da8a5df79529628edcd6a1a5f7fc7d6f5740bf02f88a33288f6818dbdf221b7cc14731298af6a287fc0d2f04fc62cf
-
SSDEEP
12288:+Fwj4Jdm9X2I6P3qoJsUkBY7kahSrePdxlqbvPK9DaqEPRCz+bIv/0xRSgHxOt9t:X0Jo91oJES97qlPRg+bIn0XLHxg2Qn
Malware Config
Extracted
Protocol: smtp- Host:
mail.mytravelexplorer.com - Port:
587 - Username:
[email protected] - Password:
2JWcb}iP#4]+
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
resource yara_rule behavioral2/memory/4800-14-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DHL AWB 405986998.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DHL AWB 405986998.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DHL AWB 405986998.exe Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1396 set thread context of 4800 1396 DHL AWB 405986998.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL AWB 405986998.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL AWB 405986998.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3416 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4800 DHL AWB 405986998.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1396 DHL AWB 405986998.exe 4800 DHL AWB 405986998.exe 4800 DHL AWB 405986998.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1396 DHL AWB 405986998.exe Token: SeDebugPrivilege 4800 DHL AWB 405986998.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4800 DHL AWB 405986998.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1396 wrote to memory of 3416 1396 DHL AWB 405986998.exe 98 PID 1396 wrote to memory of 3416 1396 DHL AWB 405986998.exe 98 PID 1396 wrote to memory of 3416 1396 DHL AWB 405986998.exe 98 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 PID 1396 wrote to memory of 4800 1396 DHL AWB 405986998.exe 100 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB 405986998.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Platwf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB10B.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB 405986998.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55165fcbd84f653ded5b3355c0eb6b49a
SHA15627521d150a7ea72f0485c6edbab182d2a498be
SHA2562e21c645048ed215e2e338d9dc02f9ebdefbda6ba45e0de42329b572d38bdb41
SHA512976dd24d5adccfd95322a2995f8e894997d65e423b6bb91e77fabb9e98e67be9c1cb90e1a23dcc5371941ff149cedbe439cb6e52de3850a17978ca7c571f5c8f