Malware Analysis Report

2025-01-06 11:35

Sample ID 240603-er9hxscb85
Target 2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
SHA256 2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
Tags
evasion upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda

Threat Level: Known bad

The file 2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda was found to be: Known bad.

Malicious Activity Summary

evasion upx

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

UPX packed file

Checks computer location settings

Deletes itself

Maps connected drives based on registry

Enumerates connected drives

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SysWOW64\rundll32.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 3060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 3060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 3060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2624 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2624 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2624 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1352

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3952 set thread context of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 3952 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 4776 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 4776 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 4776 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1212 wrote to memory of 4772 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1212 wrote to memory of 4772 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1212 wrote to memory of 4772 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NZ 49.50.241.103:8080 tcp
SI 91.185.204.47:8080 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
CL 190.114.253.222:443 190.114.253.222 tcp
CL 190.114.253.222:443 190.114.253.222 tcp
TR 77.79.92.75:8080 tcp
US 8.8.8.8:53 222.253.114.190.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 178.79.186.35:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
CL 190.114.253.222:443 190.114.253.222 tcp
CA 216.18.22.214:8080 tcp
FR 5.135.213.204:8080 5.135.213.204 tcp
US 8.8.8.8:53 204.213.135.5.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4776-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4776-3-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1212-4-0x00000000008E0000-0x00000000008EE000-memory.dmp

memory/1212-6-0x00000000008E0000-0x00000000008EE000-memory.dmp

memory/3952-7-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SysWOW64\rundll32.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win7-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2720 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2784 wrote to memory of 2720 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2784 wrote to memory of 2720 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2784 wrote to memory of 2720 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe

"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

Network

Country Destination Domain Proto
TR 77.79.92.75:8080 tcp
TR 77.79.92.75:8080 tcp
GB 178.79.186.35:443 tcp
GB 178.79.186.35:443 tcp
ES 81.25.112.101:443 tcp
ES 81.25.112.101:443 tcp

Files

memory/1848-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1992-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1992-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1992-5-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1992-3-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1992-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1848-10-0x0000000000250000-0x000000000026A000-memory.dmp

memory/1848-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2784-14-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2784-13-0x0000000000150000-0x0000000000158000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win7-20240220-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt

Network

Country Destination Domain Proto
DE 78.47.205.35:8080 tcp
DE 78.47.205.35:8080 tcp

Files

memory/2784-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2784-2-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2784-1-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2128-4-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

memory/2128-3-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

memory/2784-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2128-9-0x00000000001D0000-0x0000000000250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt

MD5 43382e1f053304855e9320c71ed3b6cd
SHA1 a7df410c7cd79bfe9a8fe980226f979d2330a5f9
SHA256 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d
SHA512 b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:11

Reported

2024-06-03 04:14

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe

"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/952-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/952-1-0x0000000000560000-0x0000000000562000-memory.dmp

memory/952-2-0x0000000000400000-0x000000000042E000-memory.dmp