4c8ad8c9f0db0c959eabf1300cd7403a5cf4670eff4a3c39b71385a87c0aefb5

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHLReceiptAWB801431484778.exe
Size

537KB
MD5

8b2971a818f5f3f641ae0a523a31ed2f
SHA1

19fe73c8478dca53a1f59df91f64335189ad57e0
SHA256

4c8ad8c9f0db0c959eabf1300cd7403a5cf4670eff4a3c39b71385a87c0aefb5
SHA512

7c7a369eddfaa1db0753d115526d4372941f5f60e0b02b3b4ab8eb347678646dd9ed3e047d0548259490c4af5c28b7dae8df61c601edda022ceab77592840165
SSDEEP

12288:kS7kvDoQnYFVY+QMEheQfIH01ukoEx2HBQXMizdM1A/PkR:kSo7ep2heQzuko6qQBzdpK

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
2960	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DHLReceiptAWB801431484778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
2296	DHLReceiptAWB801431484778.exe
1908	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	DHLReceiptAWB801431484778.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1908	2296	DHLReceiptAWB801431484778.exe	30
PID 2296 wrote to memory of 1908	2296	DHLReceiptAWB801431484778.exe	30
PID 2296 wrote to memory of 1908	2296	DHLReceiptAWB801431484778.exe	30
PID 2296 wrote to memory of 1908	2296	DHLReceiptAWB801431484778.exe	30
PID 2296 wrote to memory of 2960	2296	DHLReceiptAWB801431484778.exe	32
PID 2296 wrote to memory of 2960	2296	DHLReceiptAWB801431484778.exe	32
PID 2296 wrote to memory of 2960	2296	DHLReceiptAWB801431484778.exe	32
PID 2296 wrote to memory of 2960	2296	DHLReceiptAWB801431484778.exe	32
PID 2296 wrote to memory of 3060	2296	DHLReceiptAWB801431484778.exe	33
PID 2296 wrote to memory of 3060	2296	DHLReceiptAWB801431484778.exe	33
PID 2296 wrote to memory of 3060	2296	DHLReceiptAWB801431484778.exe	33
PID 2296 wrote to memory of 3060	2296	DHLReceiptAWB801431484778.exe	33
PID 2296 wrote to memory of 2676	2296	DHLReceiptAWB801431484778.exe	36
PID 2296 wrote to memory of 2676	2296	DHLReceiptAWB801431484778.exe	36
PID 2296 wrote to memory of 2676	2296	DHLReceiptAWB801431484778.exe	36
PID 2296 wrote to memory of 2676	2296	DHLReceiptAWB801431484778.exe	36
PID 2296 wrote to memory of 2816	2296	DHLReceiptAWB801431484778.exe	37
PID 2296 wrote to memory of 2816	2296	DHLReceiptAWB801431484778.exe	37
PID 2296 wrote to memory of 2816	2296	DHLReceiptAWB801431484778.exe	37
PID 2296 wrote to memory of 2816	2296	DHLReceiptAWB801431484778.exe	37
PID 2296 wrote to memory of 2700	2296	DHLReceiptAWB801431484778.exe	38
PID 2296 wrote to memory of 2700	2296	DHLReceiptAWB801431484778.exe	38
PID 2296 wrote to memory of 2700	2296	DHLReceiptAWB801431484778.exe	38
PID 2296 wrote to memory of 2700	2296	DHLReceiptAWB801431484778.exe	38
PID 2296 wrote to memory of 2764	2296	DHLReceiptAWB801431484778.exe	39
PID 2296 wrote to memory of 2764	2296	DHLReceiptAWB801431484778.exe	39
PID 2296 wrote to memory of 2764	2296	DHLReceiptAWB801431484778.exe	39
PID 2296 wrote to memory of 2764	2296	DHLReceiptAWB801431484778.exe	39
PID 2296 wrote to memory of 2904	2296	DHLReceiptAWB801431484778.exe	40
PID 2296 wrote to memory of 2904	2296	DHLReceiptAWB801431484778.exe	40
PID 2296 wrote to memory of 2904	2296	DHLReceiptAWB801431484778.exe	40
PID 2296 wrote to memory of 2904	2296	DHLReceiptAWB801431484778.exe	40

C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
"C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yNOzyvkGxccq.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNOzyvkGxccq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp426.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
  "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
  "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
  "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
  "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe
  "C:\Users\Admin\AppData\Local\Temp\DHLReceiptAWB801431484778.exe"
  2⤵
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp426.tmp

Filesize
1KB

MD5
c8381f37d86e3f6aec6dfa72c374f2bb

SHA1
a1d5a09e4bad0e3e93babfc0f699677ff0c0cd1b

SHA256
1a8aa2bf2f5123a6015b7b3154d3c39f6ef3432b1bfbf802af526e0b562bd691

SHA512
12b55f51be9fd54c6538a16194c95cc643fff880f676238dc126053686d7d9dc81ba00cf756222642c9d0093cc79c2f9f0f729d085f6cee05d88b6ec651c4277

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M527BWDNC5DVLHTI2DLU.temp

Filesize
7KB

MD5
a2821d83cb27fb71b64da4e898d3669b

SHA1
6df7296a3b709ba614a7e12ebffe877483250049

SHA256
2e45fd10aa3d6ba895bc29568375389b00342a8610dfd1dbaa31eb9e58b8f55c

SHA512
d52ef2f33ffd07199efd85b458e71cddb7b26a1510617d67fa8618fee93606c15f7648c41f75d5696b9cfdfb1f361e19fed4388b8f6ca39f81b5be9775aedbed

Download Submit
memory/2296-0-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x00000000003B0000-0x0000000000438000-memory.dmp

Filesize
544KB

Download
memory/2296-2-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-3-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2296-4-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2296-5-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-6-0x0000000004F60000-0x0000000004FC2000-memory.dmp

Filesize
392KB

Download
memory/2296-19-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download