Malware Analysis Report

2025-01-06 11:49

Sample ID 240603-ekkwzsae8v
Target 9077ec98bd1a022616452acdc2d59799_JaffaCakes118
SHA256 2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
Tags
upx evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda

Threat Level: Known bad

The file 9077ec98bd1a022616452acdc2d59799_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx evasion

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Deletes itself

UPX packed file

Checks computer location settings

Maps connected drives based on registry

Enumerates connected drives

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies registry class

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2788-1-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/2788-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2788-2-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SysWOW64\rundll32.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win7-20240220-en

Max time kernel

138s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt

Network

Country Destination Domain Proto
GB 178.79.186.35:443 tcp
GB 178.79.186.35:443 tcp
US 166.78.7.193:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win7-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt

Network

Country Destination Domain Proto
US 108.178.32.3:8080 108.178.32.3 tcp
DE 144.76.194.170:443 tcp
DE 144.76.194.170:443 tcp

Files

memory/1600-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1600-2-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1600-1-0x0000000000230000-0x0000000000232000-memory.dmp

memory/1932-4-0x0000000000130000-0x0000000000138000-memory.dmp

memory/1932-3-0x0000000000130000-0x0000000000138000-memory.dmp

memory/1600-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1932-9-0x00000000002F0000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SysWOW64\rundll32.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 772 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 772 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1940 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1940 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1012

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win7-20240419-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2068 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2440 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 2440 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 2440 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 2440 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2692 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2920 wrote to memory of 2692 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2920 wrote to memory of 2692 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2920 wrote to memory of 2692 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

Network

Country Destination Domain Proto
NZ 49.50.241.103:8080 tcp
NZ 49.50.241.103:8080 tcp
GB 176.227.204.58:8080 tcp
GB 176.227.204.58:8080 tcp
US 192.184.94.72:443 tcp
US 192.184.94.72:443 tcp

Files

memory/2068-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2068-1-0x0000000000320000-0x000000000033A000-memory.dmp

memory/2440-3-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2440-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2440-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2440-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2440-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2920-11-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/2920-12-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/2068-13-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-03 03:59

Reported

2024-06-03 04:02

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2400 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 2400 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 3212 wrote to memory of 924 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3212 wrote to memory of 924 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3212 wrote to memory of 924 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 176.227.204.58:8080 tcp
US 166.78.7.193:443 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SI 91.185.204.47:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
ES 81.25.112.101:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
TR 77.79.92.75:8080 tcp
CA 216.18.22.214:8080 tcp

Files

memory/2400-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1728-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3212-5-0x0000000000A60000-0x0000000000A6E000-memory.dmp

memory/3212-7-0x0000000000A60000-0x0000000000A6E000-memory.dmp

memory/2400-8-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41