Overview
overview
4Static
static
4McDonnell ...al.pdf
windows7-x64
1McDonnell ...al.pdf
windows10-2004-x64
1McDonnell ...IT.dds
windows7-x64
3McDonnell ...IT.dds
windows10-2004-x64
3McDonnell ...gs.dds
windows7-x64
3McDonnell ...gs.dds
windows10-2004-x64
3McDonnell ...as.png
windows7-x64
1McDonnell ...as.png
windows10-2004-x64
3McDonnell ...er.png
windows7-x64
1McDonnell ...er.png
windows10-2004-x64
3McDonnell ...zq.png
windows7-x64
1McDonnell ...zq.png
windows10-2004-x64
3McDonnell ...RM.png
windows7-x64
1McDonnell ...RM.png
windows10-2004-x64
3McDonnell ...RM.png
windows7-x64
1McDonnell ...RM.png
windows10-2004-x64
3McDonnell ...RM.png
windows7-x64
1McDonnell ...RM.png
windows10-2004-x64
3McDonnell ...ll.obj
windows7-x64
3McDonnell ...ll.obj
windows10-2004-x64
3McDonnell ...ts.obj
windows7-x64
3McDonnell ...ts.obj
windows10-2004-x64
3McDonnell ...in.xpl
ubuntu-20.04-amd64
1McDonnell ...in.dll
windows7-x64
1McDonnell ...in.dll
windows10-2004-x64
1McDonnell ...nit.js
windows7-x64
3McDonnell ...nit.js
windows10-2004-x64
3McDonnell ...rds.js
windows7-x64
3McDonnell ...rds.js
windows10-2004-x64
3Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 17:37
Behavioral task
behavioral1
Sample
McDonnell Douglas MD-80/X-Plane MD-82 Pilot Operating Manual.pdf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
McDonnell Douglas MD-80/X-Plane MD-82 Pilot Operating Manual.pdf
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
McDonnell Douglas MD-80/liveries/Alaska Airlines/objects/tail_LIT.dds
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
McDonnell Douglas MD-80/liveries/Alaska Airlines/objects/tail_LIT.dds
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
McDonnell Douglas MD-80/liveries/Alaska Airlines/objects/wings.dds
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
McDonnell Douglas MD-80/liveries/Alaska Airlines/objects/wings.dds
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_alas.png
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_alas.png
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_cola_der.png
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_cola_der.png
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_cola_izq.png
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
McDonnell Douglas MD-80/liveries/Northwest/objects/md80_cola_izq.png
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
McDonnell Douglas MD-80/objects/cockpit_instr_NRM.png
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
McDonnell Douglas MD-80/objects/cockpit_instr_NRM.png
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
McDonnell Douglas MD-80/objects/cockpit_overhead_NRM.png
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
McDonnell Douglas MD-80/objects/cockpit_overhead_NRM.png
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
McDonnell Douglas MD-80/objects/cockpit_panel_NRM.png
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
McDonnell Douglas MD-80/objects/cockpit_panel_NRM.png
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
McDonnell Douglas MD-80/objects/prefill.obj
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
McDonnell Douglas MD-80/objects/prefill.obj
Resource
win10v2004-20240419-en
Behavioral task
behavioral21
Sample
McDonnell Douglas MD-80/objects/seats.obj
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
McDonnell Douglas MD-80/objects/seats.obj
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
McDonnell Douglas MD-80/plugins/xlua/64/lin.xpl
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral24
Sample
McDonnell Douglas MD-80/plugins/xlua/64/win.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
McDonnell Douglas MD-80/plugins/xlua/64/win.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral26
Sample
McDonnell Douglas MD-80/plugins/xlua/init.js
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
McDonnell Douglas MD-80/plugins/xlua/init.js
Resource
win10v2004-20240419-en
Behavioral task
behavioral28
Sample
McDonnell Douglas MD-80/plugins/xlua/scripts/md80_safeguards/md80_safeguards.js
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
McDonnell Douglas MD-80/plugins/xlua/scripts/md80_safeguards/md80_safeguards.js
Resource
win10v2004-20240226-en
General
-
Target
McDonnell Douglas MD-80/objects/seats.obj
-
Size
9.5MB
-
MD5
ea7270857ca9b32e9b15c68534a960c2
-
SHA1
372a4432c747cb2f053a21e8711c35b0fee4381a
-
SHA256
cb0469565e96866af46b52703f10b03fe675f940b4996f9119aab9a867161849
-
SHA512
752aef1dd4e7a07bf89ef1bff618f3e7efa03713af517ef856c7bc45240f5b058f289222da3cd077d31009fc014275b760dc6e6430a1a7e5065c5e3c82cb2795
-
SSDEEP
3072:gewkCoGGs4DO5GGW+T/8h+O/veC7uQVrRhFShuCI5YPYY4WYZZ5OGVGoWzsTPcGV:adbgQStJh2GL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.obj\ = "obj_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.obj rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\obj_auto_file\shell rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2592 1856 cmd.exe 29 PID 1856 wrote to memory of 2592 1856 cmd.exe 29 PID 1856 wrote to memory of 2592 1856 cmd.exe 29 PID 2592 wrote to memory of 2704 2592 rundll32.exe 30 PID 2592 wrote to memory of 2704 2592 rundll32.exe 30 PID 2592 wrote to memory of 2704 2592 rundll32.exe 30 PID 2592 wrote to memory of 2704 2592 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\objects\seats.obj"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\objects\seats.obj2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\objects\seats.obj"3⤵
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51e2140541363dde20f9092ec6f6d2c44
SHA134ff9a081f78a5a3c4e5cf918ef918cbb4a4be03
SHA256cf532967209d0712cc0d2b0bb6dc399b712725c766766f0d3215515b9c65233f
SHA5123c5b0ee81728603f43dbe9e83064766035749a3bb5a8a4dedc95343339691ac8763bce1e2562735f23c56f90d1568d8ca4a2e937bcb9831f5b74ea60527f1ed1