c6004a404cddb4408610b0394b3c133ad1c1bfe5eee08aa5f2836969230612db

Resubmissions

07-01-2025 19:20

250107-x14m5swqdr 1

06-01-2025 20:49

250106-zmb23szjgp 8

06-01-2025 20:34

250106-zcfyaayqbp 10

06-01-2025 20:12

250106-yyyjsawpbs 10

Analysis

max time kernel
435s
max time network
437s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resolute 16x/font/glyph_03.png
Size

1KB
MD5

bd0c08085f4cc0a23dc246c0ac64afff
SHA1

a9f0df0e4b7d514b65606ca9437789fda7dc2d86
SHA256

54c9a08a938384995f57876eae07a77679953b57d34c1064639e71845253b9b6
SHA512

913bdb0e42a3f0df154f1b3c148f3de0e852791d6a5aac432cf4175c0367bc39f56e50c177e9a8e2ce038f05344234896bb90171135d43cb5999d5cbd403a7c8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1332	mspaint.exe
1332	mspaint.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1332	mspaint.exe
1332	mspaint.exe
1332	mspaint.exe
1332	mspaint.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1332	240	cmd.exe	83
PID 240 wrote to memory of 1332	240	cmd.exe	83

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Resolute 16x\font\glyph_03.png"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Resolute 16x\font\glyph_03.png"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads