Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 18:22

General

  • Target

    Jules/Monaco/package/esm/vs/editor/standalone/browser/iPadShowKeyboard/iPadShowKeyboard.css

  • Size

    3KB

  • MD5

    96ce4351eb6107b6ab1b27932850262d

  • SHA1

    665ec553f6ac564b4b0c18e0327508d3f764919d

  • SHA256

    3769b2499593cca78b90e0837c72d7f920f689ee494eb982ec7b25a833593dc3

  • SHA512

    21b21b0aee38dec996371fd85e06b350e7a94875f3ff96c5b80780c963dac2ab5da072d534ea0cc4fadb2e86e3dfed4e6562c13db25483f1ea13b97e8ae7d085

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Jules\Monaco\package\esm\vs\editor\standalone\browser\iPadShowKeyboard\iPadShowKeyboard.css
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Jules\Monaco\package\esm\vs\editor\standalone\browser\iPadShowKeyboard\iPadShowKeyboard.css
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads