c6004a404cddb4408610b0394b3c133ad1c1bfe5eee08aa5f2836969230612db

Resubmissions

07-01-2025 19:20

250107-x14m5swqdr 1

06-01-2025 20:49

250106-zmb23szjgp 8

06-01-2025 20:34

250106-zcfyaayqbp 10

06-01-2025 20:12

250106-yyyjsawpbs 10

Analysis

max time kernel
443s
max time network
448s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resolute 16x/font/glyph_12.png
Size

2KB
MD5

0fef829dda07af9726dd6aa5e37cffd2
SHA1

9bc79d4a0334414b777edcfcb6056e9deb5b4fc7
SHA256

c8a05dc8eea810726dfda1956cfa63dc9bfdaad283867e4eb6371117bbc56a2d
SHA512

1e2ecec415bfac3746e9620b7869ff619328bc84d50df579e3550056620abc74681fde5f8b649e1fdab1f69e68ea23dd6f266510618c5ede9fafa32a79c433bc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	mspaint.exe
456	mspaint.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
456	mspaint.exe
456	mspaint.exe
456	mspaint.exe
456	mspaint.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 456	3956	cmd.exe	82
PID 3956 wrote to memory of 456	3956	cmd.exe	82

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Resolute 16x\font\glyph_12.png"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Resolute 16x\font\glyph_12.png"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads