Analysis

  • max time kernel
    121s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2024, 17:37

General

  • Target

    McDonnell Douglas MD-80/liveries/Alaska Airlines/objects/tail_LIT.dds

  • Size

    1.3MB

  • MD5

    d7329b92d2c7d98934820d7b4388da94

  • SHA1

    83017bef5527fffb98be2850249d0925d9307cd5

  • SHA256

    f17e6ab07e1e64f4d3dc8107b2f39a105ae4a2aec1e9cf64d1b6ba87e1276d61

  • SHA512

    ebcc8eae4c10635177a644f017111ffe225d4c426fc7e5c0dfb64c4ff1d8208aa4a8ddfa584465fdb1d42b8b088ed70469975f3fa5a605d0ecc7cf812aa7c2e3

  • SSDEEP

    3072:zobYMnm/CSG5g7s5FJXB0uO3tDoYPTLzXCpGlL+FhmwSbr0paLRW668z26yUJGQR:zKm/v0gsJALRQFhmwSbr0paLRW660x7/

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\liveries\Alaska Airlines\objects\tail_LIT.dds"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\liveries\Alaska Airlines\objects\tail_LIT.dds
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\McDonnell Douglas MD-80\liveries\Alaska Airlines\objects\tail_LIT.dds"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2260

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

          Filesize

          3KB

          MD5

          478ca33b01b542d4a8441e5dd9624e68

          SHA1

          b2fadb02bcac2c5bcfacf17dd3873d2cec81864b

          SHA256

          677554393f0c9793687eb7492670b93464a2a6387b34853df36648160e27d26e

          SHA512

          0a78aa1a6b59ff997153e24e3ad84ce124a5022905c2c68d4b35f976debd7ed93899a5213519d55a2c46d583107f1c95e5b837b79d9d4279591cac79a0f51ef2