3952873719ebe020a1a4207f8c20adc4e025c8a9eeb787edfd45bd0b771b3d1c | Triage

Analysis

max time kernel
29s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 13:32

Sharing

Report Analysis Logs

General

Target

Discord-QR-Token-Logger-main/resources/overlay.png
Size

974B
MD5

c67a59cc622419e6f50f66c5edb2a9f5
SHA1

400774823f960c427e6dc51c5b19bd0f88e2b6ab
SHA256

7ff5743333f1b0ebf8cb1b70a89d584309b4b7ed4bae7f618e8f1974ec99b1cc
SHA512

36628476a2b4ec68d3918e0325ee17315c7c4c0d0f3479312d32079b5323aabd74004f31a8bb34d6803634a717ec0c5d4c3ee7f0634e47a2b1d5d142dd2cd4ef

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	rundll32.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\Discord-QR-Token-Logger-main\resources\overlay.png
1⤵
- Suspicious use of FindShellTrayWindow
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download