General

  • Target

    2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda

  • Size

    224KB

  • Sample

    240603-er9hxscb85

  • MD5

    9077ec98bd1a022616452acdc2d59799

  • SHA1

    b70a2e8f750b9ff50f6d747725c0ff0ec5ad7823

  • SHA256

    2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda

  • SHA512

    45c6b984d084509122a4c8afe0e82f8a179614fe7f0498c9dfc37fe7561cd60a47224e7b724f9b381ec9802221d28819d11fe8ab01309b4110e49005fa9d261e

  • SSDEEP

    6144:SVSkzVWbiexiQOCJAsCOrastbs+6HdwNg:S0kRiiTQOcnraEsZdL

Score
10/10

Malware Config

Targets

    • Target

      WalmartForm_San_Antonio_78218.exe

    • Size

      90KB

    • MD5

      d062d420e2ac73b0211afe30063807fa

    • SHA1

      c3ba72fb3f48bd3b4a5fe8b04e3f8b8398e624c1

    • SHA256

      f1b8a10f27cc597281bdd423fd7e9829ecbf036ebe6e7e00d054c55f01454bd8

    • SHA512

      761ec98c589349e4e511fc255531c5f074b810c56b9b3cec1d9477ec383686e6b8c1d99840f67540c8e83ededc5abf573371b2743ae5a5f58c3900fe9bd8e599

    • SSDEEP

      1536:eTFOnhmTIgT+jv+d6tS5s8li+C89pjIk7xpPnXv0HX0cFNFXf3FBsThnzUsHR3ey:eBTdPj22FLnIS/0HEQFIn5HRg/

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      d0000.dll

    • Size

      74KB

    • MD5

      0d655ecb0b27564685114e1d2e598627

    • SHA1

      9834d2149842cb807dcfd6b9282eebbfc27f64dc

    • SHA256

      c56792bea8ac5fbf893ae3df1be0c3c878a615db6b24fd5253e5cbbc2e3e1dd3

    • SHA512

      657172e7b19bfd286d7f1f6336ff8638cf9a62686f72f955a3dfe519a923c1aa953bdf4f533c39cbd6b9c10dffa2101f0f0770de2696f3a8e79c413a535a25ee

    • SSDEEP

      1536:MS1LKOuMVMCL5D8Nbv5BXg06v/0DNHUYbLOyZeZjOLfJxFwKW01uGR/xOi7OCAf7:MS1HVMCL5EL/9KCRihn

    Score
    10/10
    • Modifies visiblity of hidden/system files in Explorer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      80000.dll

    • Size

      66KB

    • MD5

      400439a05c61cfd61625749a7f1fd8f1

    • SHA1

      8f5b0e02f9c6ff5547410e45554996fb64df7002

    • SHA256

      0abbe08ec50615e8c1e87192d61b1419e7780251a035e72ffd92e0c6cde60ca2

    • SHA512

      2b05470280fde4fecda63035fa397798ae6b18f529a634040282ae9f8969ddaea488662e9f17848db0443b0ce99aa35bd43e01ddaa295c81629c95ac06514beb

    • SSDEEP

      1536:i1CNFN96i6NI7q8U3gW6v/0DNHUYbLOyZeZjOdfJxFwKW01uGR/xOi7OCBKzR9dT:i1C3NSeW8UF+hT

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      US_Airways_E-Ticket_Print_Doc.exe

    • Size

      92KB

    • MD5

      53fec0c29fb30de88c9a6a369e8cae62

    • SHA1

      597b9aab24a0bffce34407f5ea8c5082dc4bb3b2

    • SHA256

      4bb1d2130bb7ac35a03eb2f1eb483fc74103cea2086f3fc6984cb8724bcbcbfc

    • SHA512

      852645ae4e7cd4f9f80061f01a56715b3240a7831f00f72f897d12809cd0bfdffdcb218aa15e89b99bb269e83e82cac2d5adfda628969dab8b8f4fac7698bcb8

    • SSDEEP

      1536:IKt4CZ0XlXogPZEtEFNxVJz4sqAbyYPNwHBTUeC3R0FrPQxnLiaO:34CZ4YghAqVFX3PahTULmkn

    Score
    7/10
    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks