Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:59
Behavioral task
behavioral1
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
d0000.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
d0000.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
80000.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
80000.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win10v2004-20240508-en
General
-
Target
d0000.dll
-
Size
74KB
-
MD5
0d655ecb0b27564685114e1d2e598627
-
SHA1
9834d2149842cb807dcfd6b9282eebbfc27f64dc
-
SHA256
c56792bea8ac5fbf893ae3df1be0c3c878a615db6b24fd5253e5cbbc2e3e1dd3
-
SHA512
657172e7b19bfd286d7f1f6336ff8638cf9a62686f72f955a3dfe519a923c1aa953bdf4f533c39cbd6b9c10dffa2101f0f0770de2696f3a8e79c413a535a25ee
-
SSDEEP
1536:MS1LKOuMVMCL5D8Nbv5BXg06v/0DNHUYbLOyZeZjOLfJxFwKW01uGR/xOi7OCAf7:MS1HVMCL5EL/9KCRihn
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\F: rundll32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2868 wrote to memory of 1896 2868 rundll32.exe 82 PID 2868 wrote to memory of 1896 2868 rundll32.exe 82 PID 2868 wrote to memory of 1896 2868 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#12⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Enumerates connected drives
- Maps connected drives based on registry
- Enumerates system info in registry
PID:1896
-