Overview

overview

4

Static

static

1

image001.png

windows10-1703-x64

4

Analysis

  • max time kernel
    111s
  • max time network
    108s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-03-2023 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image001.png

  • Size

    174B

  • MD5

    6dd5fd32c94cdadd3f1118ec6b0d735c

  • SHA1

    b777f90bb2b036604f588c6b1d534f5c83d4d9e2

  • SHA256

    54f338ee4d21a8f75215bd30f1a3e2dd06e7fc9ff7d0c1f89144c1bb24d4a5a9

  • SHA512

    0ab1edc841e23355b2684eab17e36c5d5adfddcef4bcc8c59e164ede4959f81e1a9d9a83ca1460451fbe1ea576a904bc5850e389811021f1efba3bdf374c71bd

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\image001.png
    1⤵
      PID:4300
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4268
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Windows\system32\dashost.exe
          dashost.exe {3562ac8f-3018-42dc-b832edb837031594}
          2⤵
            PID:4264
        • C:\Windows\system32\mspaint.exe
          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\image001.png" /ForceBootstrapPaint3D
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2164
        • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
          "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
          1⤵
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4816
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4816 -s 3860
            2⤵
            • Program crash
            PID:60
        • C:\Windows\system32\mspaint.exe
          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\image001.png" /ForceBootstrapPaint3D
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2036
        • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
          "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
          1⤵
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3924
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3924 -s 3692
            2⤵
            • Program crash
            PID:1076
        • C:\Windows\system32\mspaint.exe
          "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\image001.png"
          1⤵
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3448

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          236B

          MD5

          4dd964aca4fd5e836f3437e61c7e8e34

          SHA1

          8af0b0b1aaff0e78a7da09d7111c0dfc4db125c3

          SHA256

          c9b4d6996698bfa8667a09ab34e144f1516d1c18ed9683ec276ebd4fc8dbafbe

          SHA512

          0e29bb92c9e64cdfb112c24678ff501b139ec7838bb9d51f7256fa87b4e83e68025e57a841222a16c0ebb3b24f2968f5bdcc75f29b38485e58c20399d25fbe55

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          236B

          MD5

          4dd964aca4fd5e836f3437e61c7e8e34

          SHA1

          8af0b0b1aaff0e78a7da09d7111c0dfc4db125c3

          SHA256

          c9b4d6996698bfa8667a09ab34e144f1516d1c18ed9683ec276ebd4fc8dbafbe

          SHA512

          0e29bb92c9e64cdfb112c24678ff501b139ec7838bb9d51f7256fa87b4e83e68025e57a841222a16c0ebb3b24f2968f5bdcc75f29b38485e58c20399d25fbe55

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
          Filesize

          476B

          MD5

          1a9da5748b608b4e1a5e3884aadba8c3

          SHA1

          729aa22c244a4da78538e2501dabfc732746255b

          SHA256

          d098517ae93c50a06846f1bf41339bb02d32fec8340fc54c0be384728511588a

          SHA512

          884a82dbbd0297e45861b16e4eec4046526e326fe138c8fc66bc15e5b1af562f01a4d679e9344eb1e26c3c253d0b8f0d7b16fc72bd3d21bf66202661e7cf9495

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
          Filesize

          2KB

          MD5

          404a3ec24e3ebf45be65e77f75990825

          SHA1

          1e05647cf0a74cedfdeabfa3e8ee33b919780a61

          SHA256

          cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

          SHA512

          a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
          Filesize

          2KB

          MD5

          404a3ec24e3ebf45be65e77f75990825

          SHA1

          1e05647cf0a74cedfdeabfa3e8ee33b919780a61

          SHA256

          cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

          SHA512

          a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

          Download Submit

        • memory/3924-210-0x0000028C14B80000-0x0000028C14BAF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/4816-168-0x000002554F500000-0x000002554F52F000-memory.dmp

          Filesize

          188KB

          Download