Analysis
-
max time kernel
570s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
x32_x64_installer.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
password.jpg
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
setup.zip
Resource
win10v2004-20240226-en
General
-
Target
password.jpg
-
Size
793KB
-
MD5
14041772b78bfa9fc46f0da47f57de6f
-
SHA1
bc95f2778ab4ad453cfb3c12b64e0fce8d78de00
-
SHA256
dc80a90f6814f559f8510313a2042316f030c6e601b1a6be1ba25d4bc2326a88
-
SHA512
3750c8580c3c7647cda5c3e3e3f1d15e386a4a9780cfd0aa2a9b232539b3c7908439538e3a21f01b7d5831c57dc229b3805913c0656b7ff53b8261f4cab5b1ae
-
SSDEEP
96:DWKcejwlcULFu83gX9UNg1BegxH2zcyQ6MsLUeuXuInuDrXVJgiuYdOVJo96/3q5:mq8emoogxWgLR9ZxMTVRgtxi
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid Process Token: SeManageVolumePrivilege 904 svchost.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.jpg1⤵PID:2408
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904