Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:59
Behavioral task
behavioral1
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
WalmartForm_San_Antonio_78218.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
d0000.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
d0000.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
80000.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
80000.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
US_Airways_E-Ticket_Print_Doc.exe
Resource
win10v2004-20240508-en
General
-
Target
US_Airways_E-Ticket_Print_Doc.exe
-
Size
92KB
-
MD5
53fec0c29fb30de88c9a6a369e8cae62
-
SHA1
597b9aab24a0bffce34407f5ea8c5082dc4bb3b2
-
SHA256
4bb1d2130bb7ac35a03eb2f1eb483fc74103cea2086f3fc6984cb8724bcbcbfc
-
SHA512
852645ae4e7cd4f9f80061f01a56715b3240a7831f00f72f897d12809cd0bfdffdcb218aa15e89b99bb269e83e82cac2d5adfda628969dab8b8f4fac7698bcb8
-
SSDEEP
1536:IKt4CZ0XlXogPZEtEFNxVJz4sqAbyYPNwHBTUeC3R0FrPQxnLiaO:34CZ4YghAqVFX3PahTULmkn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2920 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2440 US_Airways_E-Ticket_Print_Doc.exe 2440 US_Airways_E-Ticket_Print_Doc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2068 wrote to memory of 2440 2068 US_Airways_E-Ticket_Print_Doc.exe 28 PID 2440 wrote to memory of 2920 2440 US_Airways_E-Ticket_Print_Doc.exe 29 PID 2440 wrote to memory of 2920 2440 US_Airways_E-Ticket_Print_Doc.exe 29 PID 2440 wrote to memory of 2920 2440 US_Airways_E-Ticket_Print_Doc.exe 29 PID 2440 wrote to memory of 2920 2440 US_Airways_E-Ticket_Print_Doc.exe 29 PID 2920 wrote to memory of 2692 2920 svchost.exe 30 PID 2920 wrote to memory of 2692 2920 svchost.exe 30 PID 2920 wrote to memory of 2692 2920 svchost.exe 30 PID 2920 wrote to memory of 2692 2920 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt4⤵PID:2692
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD543382e1f053304855e9320c71ed3b6cd
SHA1a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA2568d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41