Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:59

General

  • Target

    US_Airways_E-Ticket_Print_Doc.exe

  • Size

    92KB

  • MD5

    53fec0c29fb30de88c9a6a369e8cae62

  • SHA1

    597b9aab24a0bffce34407f5ea8c5082dc4bb3b2

  • SHA256

    4bb1d2130bb7ac35a03eb2f1eb483fc74103cea2086f3fc6984cb8724bcbcbfc

  • SHA512

    852645ae4e7cd4f9f80061f01a56715b3240a7831f00f72f897d12809cd0bfdffdcb218aa15e89b99bb269e83e82cac2d5adfda628969dab8b8f4fac7698bcb8

  • SSDEEP

    1536:IKt4CZ0XlXogPZEtEFNxVJz4sqAbyYPNwHBTUeC3R0FrPQxnLiaO:34CZ4YghAqVFX3PahTULmkn

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
      "C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Deletes itself
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt
          4⤵
            PID:924

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

      Filesize

      48B

      MD5

      43382e1f053304855e9320c71ed3b6cd

      SHA1

      a7df410c7cd79bfe9a8fe980226f979d2330a5f9

      SHA256

      8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d

      SHA512

      b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

    • memory/1728-1-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/1728-4-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

    • memory/2400-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2400-8-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3212-5-0x0000000000A60000-0x0000000000A6E000-memory.dmp

      Filesize

      56KB

    • memory/3212-7-0x0000000000A60000-0x0000000000A6E000-memory.dmp

      Filesize

      56KB