Overview

overview

3

Static

static

IMG_5801.heic

windows10-2004-x64

3

Resubmissions

03/11/2022, 17:35

221103-v5z5eadac9 3

03/11/2022, 17:34

221103-v5j37adac6 4

03/11/2022, 17:33

221103-v4xb5adac3 3

Analysis

  • max time kernel
    107s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2022, 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_5801.heic

  • Size

    2.0MB

  • MD5

    3d885ba243f96dd9df04d9ba9b9d8c76

  • SHA1

    713c5922c77517e0de93d0c3541a4ead8c51d8bd

  • SHA256

    4d01470eed1ad4a96f4bf89f76f6d575f463caae341c2e75cdafe918b55b9892

  • SHA512

    f1f256138bfb71d983117c8a74a1ca536eb7121823aff82f03a514b0593dc4f089f0e2d0d1e072c988ead16363302e18bab8da2571581bbbb2f113359607de64

  • SSDEEP

    49152:71g4fqyZ5PfSTLSLPgBnM5gLNUTU0Nfxno/KJvB4QA:FyyZ5PaLKoVv6tN8KPY

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\IMG_5801.heic
    1⤵
    • Modifies registry class
    PID:2280
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Program Files\Microsoft Office\root\Office16\Winword.exe
      "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\IMG_5801.heic"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3664-133-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-134-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-135-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-136-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-137-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-138-0x00007FF9E3000000-0x00007FF9E3010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-139-0x00007FF9E3000000-0x00007FF9E3010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-141-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-142-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-143-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3664-144-0x00007FF9E5370000-0x00007FF9E5380000-memory.dmp

    Filesize

    64KB

    Download