Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:59
Behavioral task
behavioral1
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
d0000.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
d0000.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
80000.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
80000.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win10v2004-20240508-en
General
-
Target
80000.dll
-
Size
66KB
-
MD5
400439a05c61cfd61625749a7f1fd8f1
-
SHA1
8f5b0e02f9c6ff5547410e45554996fb64df7002
-
SHA256
0abbe08ec50615e8c1e87192d61b1419e7780251a035e72ffd92e0c6cde60ca2
-
SHA512
2b05470280fde4fecda63035fa397798ae6b18f529a634040282ae9f8969ddaea488662e9f17848db0443b0ce99aa35bd43e01ddaa295c81629c95ac06514beb
-
SSDEEP
1536:i1CNFN96i6NI7q8U3gW6v/0DNHUYbLOyZeZjOdfJxFwKW01uGR/xOi7OCBKzR9dT:i1C3NSeW8UF+hT
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2028 rundll32.exe 5 2028 rundll32.exe 8 2028 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2072 wrote to memory of 2028 2072 rundll32.exe 28 PID 2028 wrote to memory of 2504 2028 rundll32.exe 31 PID 2028 wrote to memory of 2504 2028 rundll32.exe 31 PID 2028 wrote to memory of 2504 2028 rundll32.exe 31 PID 2028 wrote to memory of 2504 2028 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt3⤵PID:2504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD543382e1f053304855e9320c71ed3b6cd
SHA1a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA2568d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41