Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 03:59

General

  • Target

    WalmartForm_San_Antonio_78218.exe

  • Size

    90KB

  • MD5

    d062d420e2ac73b0211afe30063807fa

  • SHA1

    c3ba72fb3f48bd3b4a5fe8b04e3f8b8398e624c1

  • SHA256

    f1b8a10f27cc597281bdd423fd7e9829ecbf036ebe6e7e00d054c55f01454bd8

  • SHA512

    761ec98c589349e4e511fc255531c5f074b810c56b9b3cec1d9477ec383686e6b8c1d99840f67540c8e83ededc5abf573371b2743ae5a5f58c3900fe9bd8e599

  • SSDEEP

    1536:eTFOnhmTIgT+jv+d6tS5s8li+C89pjIk7xpPnXv0HX0cFNFXf3FBsThnzUsHR3ey:eBTdPj22FLnIS/0HEQFIn5HRg/

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe
    "C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Deletes itself
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt

    Filesize

    48B

    MD5

    43382e1f053304855e9320c71ed3b6cd

    SHA1

    a7df410c7cd79bfe9a8fe980226f979d2330a5f9

    SHA256

    8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d

    SHA512

    b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

  • memory/1600-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1600-2-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/1600-1-0x0000000000230000-0x0000000000232000-memory.dmp

    Filesize

    8KB

  • memory/1600-6-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1932-4-0x0000000000130000-0x0000000000138000-memory.dmp

    Filesize

    32KB

  • memory/1932-3-0x0000000000130000-0x0000000000138000-memory.dmp

    Filesize

    32KB

  • memory/1932-9-0x00000000002F0000-0x0000000000370000-memory.dmp

    Filesize

    512KB