Analysis Overview
SHA256
2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
Threat Level: Known bad
The file 2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
UPX packed file
Checks computer location settings
Deletes itself
Maps connected drives based on registry
Enumerates connected drives
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:11
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 3060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 3060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 3060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1816 wrote to memory of 2624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 2624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1816 wrote to memory of 2624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2624 wrote to memory of 1272 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2624 wrote to memory of 1272 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2624 wrote to memory of 1272 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2624 -ip 2624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\.txt
| MD5 | 43382e1f053304855e9320c71ed3b6cd |
| SHA1 | a7df410c7cd79bfe9a8fe980226f979d2330a5f9 |
| SHA256 | 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d |
| SHA512 | b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3952 set thread context of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NZ | 49.50.241.103:8080 | tcp | |
| SI | 91.185.204.47:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| CL | 190.114.253.222:443 | 190.114.253.222 | tcp |
| CL | 190.114.253.222:443 | 190.114.253.222 | tcp |
| TR | 77.79.92.75:8080 | tcp | |
| US | 8.8.8.8:53 | 222.253.114.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 178.79.186.35:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CL | 190.114.253.222:443 | 190.114.253.222 | tcp |
| CA | 216.18.22.214:8080 | tcp | |
| FR | 5.135.213.204:8080 | 5.135.213.204 | tcp |
| US | 8.8.8.8:53 | 204.213.135.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/3952-0-0x0000000000400000-0x000000000041A000-memory.dmp
memory/4776-1-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4776-3-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1212-4-0x00000000008E0000-0x00000000008EE000-memory.dmp
memory/1212-6-0x00000000008E0000-0x00000000008EE000-memory.dmp
memory/3952-7-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt
| MD5 | 43382e1f053304855e9320c71ed3b6cd |
| SHA1 | a7df410c7cd79bfe9a8fe980226f979d2330a5f9 |
| SHA256 | 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d |
| SHA512 | b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0000.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80000.dll,#1
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt
Network
Files
C:\Users\Admin\AppData\Local\Temp\.txt
| MD5 | 43382e1f053304855e9320c71ed3b6cd |
| SHA1 | a7df410c7cd79bfe9a8fe980226f979d2330a5f9 |
| SHA256 | 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d |
| SHA512 | b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win7-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1848 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe
"C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt
Network
| Country | Destination | Domain | Proto |
| TR | 77.79.92.75:8080 | tcp | |
| TR | 77.79.92.75:8080 | tcp | |
| GB | 178.79.186.35:443 | tcp | |
| GB | 178.79.186.35:443 | tcp | |
| ES | 81.25.112.101:443 | tcp | |
| ES | 81.25.112.101:443 | tcp |
Files
memory/1848-0-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1992-2-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-7-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-5-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-3-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-11-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1848-10-0x0000000000250000-0x000000000026A000-memory.dmp
memory/1848-12-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2784-14-0x0000000000150000-0x0000000000158000-memory.dmp
memory/2784-13-0x0000000000150000-0x0000000000158000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\US_Airways_E-Ticket_Print_Doc.txt
| MD5 | 43382e1f053304855e9320c71ed3b6cd |
| SHA1 | a7df410c7cd79bfe9a8fe980226f979d2330a5f9 |
| SHA256 | 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d |
| SHA512 | b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win7-20240220-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\svchost.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\svchost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2784 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2784 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2784 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2128 wrote to memory of 2884 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2128 wrote to memory of 2884 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2128 wrote to memory of 2884 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2128 wrote to memory of 2884 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe
"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt
Network
| Country | Destination | Domain | Proto |
| DE | 78.47.205.35:8080 | tcp | |
| DE | 78.47.205.35:8080 | tcp |
Files
memory/2784-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2784-2-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2784-1-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2128-4-0x0000000000AE0000-0x0000000000AE8000-memory.dmp
memory/2128-3-0x0000000000AE0000-0x0000000000AE8000-memory.dmp
memory/2784-6-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2128-9-0x00000000001D0000-0x0000000000250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.txt
| MD5 | 43382e1f053304855e9320c71ed3b6cd |
| SHA1 | a7df410c7cd79bfe9a8fe980226f979d2330a5f9 |
| SHA256 | 8d4dc3adb1c650cbcd8d6bca245083be6b4949dc74c19b5630391caf44bd0d5d |
| SHA512 | b1cc79429cdec123435de38cd5ebb4f106239167f1d2d490df555443f73351ccdc262e2c0618cd8b6fc430dd30b9f74c96590cb03c7ef72fb90eeef53532ad41 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:11
Reported
2024-06-03 04:14
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
103s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe
"C:\Users\Admin\AppData\Local\Temp\WalmartForm_San_Antonio_78218.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/952-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/952-1-0x0000000000560000-0x0000000000562000-memory.dmp
memory/952-2-0x0000000000400000-0x000000000042E000-memory.dmp