Overview

overview

3

Static

static

1

ningen.jpg

windows7-x64

ningen.jpg

windows10-2004-x64

3

Analysis

  • max time kernel
    50s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/04/2023, 22:02

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ningen.jpg

  • Size

    4KB

  • MD5

    eaa52fe4b08514bebe4785229911a0be

  • SHA1

    cb79e1a60c2257d73d7fa33aaca7a48934c73a44

  • SHA256

    408940d35fd05dae82654e6034cca770ed07d6bf9078c0408c3167186ea7d564

  • SHA512

    45d66b32fdc9162129f80cababcef5b4dfca02667066a771dc584094d5f20fd1af9491f6781df433a40a2a98ffd346a92d35780d356c2be48b0b2e8a34c0bc14

  • SSDEEP

    96:UDgJ3y80/R6+GHH0KZf++0CbzI7z4v5F6l1612k/PUDcxagH6TfSrFnvCt:EmS5Gn0w++pCzWm16Nec51Ct

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\ningen.jpg
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1768
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:268
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x560
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:392
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:700

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/268-55-0x00000000027C0000-0x00000000027C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/700-56-0x00000000028A0000-0x00000000028A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1768-54-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

              Filesize

              4KB

              Download