Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:59
Behavioral task
behavioral1
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
d0000.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
d0000.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
80000.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
80000.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win10v2004-20240508-en
General
-
Target
WalmartForm_San_Antonio_78218.exe
-
Size
90KB
-
MD5
d062d420e2ac73b0211afe30063807fa
-
SHA1
c3ba72fb3f48bd3b4a5fe8b04e3f8b8398e624c1
-
SHA256
f1b8a10f27cc597281bdd423fd7e9829ecbf036ebe6e7e00d054c55f01454bd8
-
SHA512
761ec98c589349e4e511fc255531c5f074b810c56b9b3cec1d9477ec383686e6b8c1d99840f67540c8e83ededc5abf573371b2743ae5a5f58c3900fe9bd8e599
-
SSDEEP
1536:eTFOnhmTIgT+jv+d6tS5s8li+C89pjIk7xpPnXv0HX0cFNFXf3FBsThnzUsHR3ey:eBTdPj22FLnIS/0HEQFIn5HRg/
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Deletes itself 1 IoCs
pid Process 1932 svchost.exe -
resource yara_rule behavioral1/memory/1600-0-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: svchost.exe File opened (read-only) \??\F: svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2160 NOTEPAD.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1600 WalmartForm_San_Antonio_78218.exe 1600 WalmartForm_San_Antonio_78218.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1932 1600 WalmartForm_San_Antonio_78218.exe 28 PID 1600 wrote to memory of 1932 1600 WalmartForm_San_Antonio_78218.exe 28 PID 1600 wrote to memory of 1932 1600 WalmartForm_San_Antonio_78218.exe 28 PID 1600 wrote to memory of 1932 1600 WalmartForm_San_Antonio_78218.exe 28 PID 1932 wrote to memory of 2160 1932 svchost.exe 29 PID 1932 wrote to memory of 2160 1932 svchost.exe 29 PID 1932 wrote to memory of 2160 1932 svchost.exe 29 PID 1932 wrote to memory of 2160 1932 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Deletes itself
- Enumerates connected drives
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2160
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD543382e1f053304855e9320c71ed3b6cd
SHA1a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA2568d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41