Overview

overview

8

Static

static

1

WhatsApp I...08.jpg

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WhatsApp Image 2024-08-25 at 19.33.05_6c080608.jpg

  • Size

    177KB

  • Sample

    250102-p8zp6awjcn

  • MD5

    b3dfd0f1bca744c76fcab4bc589d20db

  • SHA1

    a4c87904c334aa5615af289f1161f5580ae1090e

  • SHA256

    75ca2123d45e7ecd05302d30c5698bf2d8568fab0180e88a34b2c02d0f22a776

  • SHA512

    804a10dd8f659133a24d1c95cea51e03797f1b58f520d1f56481b83e848f29379712f47e3ea5a1ade7365de50d86f26f116b5afd8faa81963dfec3c98c68c1c8

  • SSDEEP

    3072:xkvjJkb9AMd4tGUDEiczQyMhdM2Hj6YXzYzG4Rwqhe9wjybTgaVLXAkJBzKQ/U:C6b9AMutGUwic8yMhdM22Rwqhe+mw+Bc

Score
8/10
microsoftdiscoveryevasionmotwpersistencephishingprivilege_escalationtrojan

Malware Config

Targets

    • Target

      WhatsApp Image 2024-08-25 at 19.33.05_6c080608.jpg

    • Size

      177KB

    • MD5

      b3dfd0f1bca744c76fcab4bc589d20db

    • SHA1

      a4c87904c334aa5615af289f1161f5580ae1090e

    • SHA256

      75ca2123d45e7ecd05302d30c5698bf2d8568fab0180e88a34b2c02d0f22a776

    • SHA512

      804a10dd8f659133a24d1c95cea51e03797f1b58f520d1f56481b83e848f29379712f47e3ea5a1ade7365de50d86f26f116b5afd8faa81963dfec3c98c68c1c8

    • SSDEEP

      3072:xkvjJkb9AMd4tGUDEiczQyMhdM2Hj6YXzYzG4Rwqhe9wjybTgaVLXAkJBzKQ/U:C6b9AMutGUwic8yMhdM22Rwqhe+mw+Bc

    Score
    8/10
    microsoftdiscoveryevasionmotwpersistencephishingprivilege_escalationtrojan

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • A potential corporate email address has been identified in the URL: AmazonNavigationCards/development@B6276730796-AL2_aarch64

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Detected potential entity reuse from brand MICROSOFT.

      phishingmicrosoft

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks