1369e029a6b0da91db5e735b2942b1a5549dfb909ab1e98b919481a04b7cf5e6

Analysis

max time kernel
92s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftInstaller (1).exe
Size

32.0MB
MD5

7b681d2a775f0505b4fa4e6899730ec0
SHA1

285e9a0f1c3a5aef9b63c1089c4e9847bb176d3e
SHA256

1369e029a6b0da91db5e735b2942b1a5549dfb909ab1e98b919481a04b7cf5e6
SHA512

4746fbd6b7094e07e82a9720b1243cb43663408a5c581a274508e8bf44fcb4e254ae24bec6951761ae488c6f64eeb938bf4d613587f93f3378174f7eea2f1016
SSDEEP

393216:Tbekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9y:OZn/G4Gqk1cWe2iTVCMue3

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
676	2016	WerFault.exe	26

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a0000000e0859ff2f94f6810ab9108002b27b3d9050000005800000030f125b7ef471a10a5f102608c9eebac0c00000050000000920444648b4cd1118b70080036b11a030900000060000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "3"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "1"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "96"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	mspaint.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	MinecraftInstaller (1).exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1380	mspaint.exe
1380	mspaint.exe
1380	mspaint.exe
1380	mspaint.exe
1380	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 676	2016	MinecraftInstaller (1).exe	27
PID 2016 wrote to memory of 676	2016	MinecraftInstaller (1).exe	27
PID 2016 wrote to memory of 676	2016	MinecraftInstaller (1).exe	27
PID 2016 wrote to memory of 676	2016	MinecraftInstaller (1).exe	27

C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1108
  2⤵
  - Program crash
  PID:676

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\aughgofasterdaddy.png

Filesize
5KB

MD5
edb45d5c762d0e0031e6731e744b62f3

SHA1
a74ec5b1211526b02ce83eea5a1aabd5e87649a2

SHA256
488a59ca7a29d02901b6f35be2ff015c5889460ef872cdc8e7ddbce2e25bd78c

SHA512
cf71ff5d2e9450dc7bbd2074dae39321935bc5a5715a36818503740da1f6856d4c43be4cfc37e48e27da5a1580e1dc025caa4ad9ad80cb5618b28577b911e3c9

Download Submit
memory/1380-58-0x000007FEF5920000-0x000007FEF596C000-memory.dmp

Filesize
304KB

Download
memory/1380-59-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1380-60-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1380-61-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1380-74-0x000007FEF5920000-0x000007FEF596C000-memory.dmp

Filesize
304KB

Download
memory/2016-54-0x00000000009C0000-0x00000000029BE000-memory.dmp

Filesize
32.0MB

Download
memory/2016-55-0x00000000069D0000-0x0000000006B92000-memory.dmp

Filesize
1.8MB

Download
memory/2016-57-0x0000000006570000-0x00000000065B0000-memory.dmp

Filesize
256KB

Download