Overview

overview

10

Static

static

3

DHL report.exe

windows7-x64

10

DHL report.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2025, 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL report.exe

  • Size

    48KB

  • MD5

    1b290a481650c19ae56a4c247fd6d421

  • SHA1

    d7de13eff1c16d4771c1dce902644448e45a541d

  • SHA256

    2c383dd4d6b713394e7983af6b541c95dbe5f3a7bcefd4d043f1bc71ef79c2ca

  • SHA512

    4aebcbaa643b72310da722c1b29b6f41cb125346ccc357799797fc84b69ff528ae3cb9e7ee9476db0dc2998ee7eff4deabe58e255626044c865997b209223899

  • SSDEEP

    768:WfrCsUQPEE9TjcLF9vihb1+cDcF69GXF+2YrviNYW4xTM:WzNUgEE9TQLkccDc3XF+2Jv41

Score
10/10
andromedabackdoorbotnetdiscoverypersistence

Malware Config

Signatures

  • Andromeda family
    andromeda
  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    botnetbackdoorandromeda
  • Detects Andromeda payload. 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL report.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL report.exe"
    1⤵
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      2⤵
      • Adds policy Run key to start application
      • Deletes itself
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2152-6-0x0000000000790000-0x0000000000798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2152-7-0x0000000000790000-0x0000000000798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2152-9-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2152-13-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2428-0-0x0000000000403000-0x0000000000407000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2428-1-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-2-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-3-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2428-5-0x0000000000403000-0x0000000000407000-memory.dmp

    Filesize

    16KB

    Download