101121c136d0d6a04d808b190ac732170300a47862f43e45ca6941d00d0b2203

General

Target

277_20_13_20064.zip
Size

7KB
MD5

3abb9cbab4203a1aac4bda228d25ba78
SHA1

7c6cbc81ff61a182f404b3f9b241a02b43520b40
SHA256

101121c136d0d6a04d808b190ac732170300a47862f43e45ca6941d00d0b2203
SHA512

35886f182a588491cbeb56b0d9d3f2c57df20b45082fe61ba3a00256df04d18547643d51eea4ed5861ca7d39c3802e460222a349364d9c5390c5ed23925501ad
SSDEEP

96:ZqX4kTboPlfHZlpji4f9hbf04neOTiSmYxE+mGQjkvqADNk8Ywj1JLbUzFQZ5:ZZDbFhzJneXJEQw7DlYwxJ0zFQZ5

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2520 3444 WerFault.exe MSOXMLED.EXE
4596 320 WerFault.exe MSOXMLED.EXE
Modifies registry class 1 IoCs

Processes:

mspaint.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings mspaint.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

5008 mspaint.exe
5008 mspaint.exe

pid	pid_target	process	target process
2520	3444	WerFault.exe	MSOXMLED.EXE
4596	320	WerFault.exe	MSOXMLED.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	mspaint.exe

pid	process
5008	mspaint.exe
5008	mspaint.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	2348	7zG.exe
Token: 35	2348	7zG.exe
Token: SeSecurityPrivilege	2348	7zG.exe
Token: SeSecurityPrivilege	2348	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2348 7zG.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mspaint.exeOpenWith.exe

pid process

5008 mspaint.exe
4624 OpenWith.exe

pid	process
2348	7zG.exe

pid	process
5008	mspaint.exe
4624	OpenWith.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\277_20_13_20064.zip
1⤵
PID:1556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\277_20_13_20064\" -spe -an -ai#7zMap5358:88:7zEvent15311
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\277_20_13_20064\1.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\277_20_13_20064\META-INF\signatures.xml"
1⤵
PID:3444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3444 -s 456
2⤵
- Program crash
PID:2520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3444 -ip 3444
1⤵
PID:2900

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "C:\Users\Admin\Desktop\277_20_13_20064\META-INF\signatures.xml"
1⤵
PID:320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 320 -s 424
2⤵
- Program crash
PID:4596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 320 -ip 320
1⤵
PID:4828

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\277_20_13_20064\1.png
Filesize
1KB

MD5
d49dae8964d0c3c8ac0f18201c4e4274

SHA1
5d99c1ff773a750f2520724ab01c12c2847dc53e

SHA256
e04ae36a12e146e5eca6fbcf328567bc19badaaeb4180c584cfba8319056f4df

SHA512
ee57bd9e56220c885b1140cc16380cc99ba60c4fc71c132442e849062c927a2f41c58565c4928fc4400bb3b6b6c89a7875bcba0a3f8241c5b3c52de19471e65d

Download Submit
C:\Users\Admin\Desktop\277_20_13_20064\META-INF\signatures.xml
Filesize
10KB

MD5
779088802b55a65d533abc1a0001b5da

SHA1
436999d722d015c809df514cc7d53da76b785a41

SHA256
fe601075cb2eecd386f714a13a965d0b2479e4831bf82fb2f2ba63727cf1df30

SHA512
d1fd4cedfd7668d9d02e613f8fbe7fda02a3db86e43829fc8e2573766e0a0f1d8c0d741a7dfb642cb8ab841f2104025c18310e559ef7a3beb51499b94d974823

Download Submit
memory/320-35-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download
memory/320-36-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download
memory/320-37-0x00007FF886D70000-0x00007FF887039000-memory.dmp

Filesize
2.8MB

Download
memory/320-34-0x00007FF849070000-0x00007FF849080000-memory.dmp

Filesize
64KB

Download
memory/320-38-0x00007FF849070000-0x00007FF849080000-memory.dmp

Filesize
64KB

Download
memory/320-39-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download
memory/548-21-0x0000022CAC8C0000-0x0000022CAC8C1000-memory.dmp

Filesize
4KB

Download
memory/548-25-0x0000022CAC960000-0x0000022CAC961000-memory.dmp

Filesize
4KB

Download
memory/548-6-0x0000022CA3BB0000-0x0000022CA3BC0000-memory.dmp

Filesize
64KB

Download
memory/548-24-0x0000022CAC960000-0x0000022CAC961000-memory.dmp

Filesize
4KB

Download
memory/548-23-0x0000022CAC950000-0x0000022CAC951000-memory.dmp

Filesize
4KB

Download
memory/548-22-0x0000022CAC950000-0x0000022CAC951000-memory.dmp

Filesize
4KB

Download
memory/548-19-0x0000022CAC8C0000-0x0000022CAC8C1000-memory.dmp

Filesize
4KB

Download
memory/548-17-0x0000022CAC840000-0x0000022CAC841000-memory.dmp

Filesize
4KB

Download
memory/548-10-0x0000022CA4560000-0x0000022CA4570000-memory.dmp

Filesize
64KB

Download
memory/3444-28-0x00007FF849070000-0x00007FF849080000-memory.dmp

Filesize
64KB

Download
memory/3444-33-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download
memory/3444-32-0x00007FF849070000-0x00007FF849080000-memory.dmp

Filesize
64KB

Download
memory/3444-31-0x00007FF886D70000-0x00007FF887039000-memory.dmp

Filesize
2.8MB

Download
memory/3444-30-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download
memory/3444-29-0x00007FF888FF0000-0x00007FF8891E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads