Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
21-12-2024 14:04
General
-
Target
Password.HERE.jpg
-
Size
2KB
-
MD5
b49a7202fb4a6cde0d9d8d4b933a7b76
-
SHA1
ac1f52da6f92d6588fb9813756a0190a7f167bd3
-
SHA256
ff5026d2e6a35f58170d6c0d12789682d800f29cf95e37da7e1af339a674924d
-
SHA512
6154c87492fdb5c61dd65caecf40ba56c509ff358c815e7de05608bdc1ea46ec5b049161edc1ada837e6f979883871b661aeb73459388330c61f89bf33da3f5c
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Password.HERE.jpg1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Password.HERE.jpg"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵