Overview

overview

5

Static

static

1

.htm

windows7-x64

1

.htm

windows10-2004-x64

1

BRUJNRYYVN.jpg

windows7-x64

3

BRUJNRYYVN.jpg

windows10-2004-x64

5

email-html-1.html

windows7-x64

1

email-html-1.html

windows10-2004-x64

1

Resubmissions

19/09/2023, 08:52

230919-ks2glaaa53 1

19/09/2023, 08:12

230919-j37kxshg95 5

19/09/2023, 08:09

230919-j2f2ksfg2z 5

Analysis

  • max time kernel
    220s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2023, 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BRUJNRYYVN.jpg

  • Size

    118KB

  • MD5

    0acab29ac4d307e2935acd85f318a8ce

  • SHA1

    310b1aef44210ae56634466ba377ef9b739616e3

  • SHA256

    7fc5ac264fe3b74992fa65172d13077593b78ed1b0d69851714205e1eb397863

  • SHA512

    4e16a3230a88874145c68e6f80b85ee4038676c8e31efd9409b6a5115ca186f8ed9fc1ecca17bc036e6ed2b194e791b881f3830f87aa8d25e5eaf12a55ff249d

  • SSDEEP

    3072:TYYYYYAXH70b3Fd4ppYu/BcHsKkkkkkkkkkkkkkkkkiyh3ZGvmT:TYYYYYAXH4IpprBcHsIh3ZGvmT

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg
    1⤵
      PID:4176
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5032
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.htm
        1⤵
          PID:1656
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\email-html-1.txt
          1⤵
            PID:3764
          • C:\Windows\system32\mspaint.exe
            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg" /ForceBootstrapPaint3D
            1⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4628
          • C:\Windows\system32\mspaint.exe
            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg" /ForceBootstrapPaint3D
            1⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1200
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
            1⤵
            • Drops file in System32 directory
            PID:504
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:2692
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:2932
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4148
            • C:\Windows\system32\mspaint.exe
              "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg"
              2⤵
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:748
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
            1⤵
              PID:1552

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/504-0-0x000001962EF40000-0x000001962EF50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/504-4-0x000001962EF80000-0x000001962EF90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/504-11-0x0000019637BD0000-0x0000019637BD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-13-0x0000019637C50000-0x0000019637C51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-15-0x0000019637C50000-0x0000019637C51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-16-0x0000019637CE0000-0x0000019637CE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-17-0x0000019637CE0000-0x0000019637CE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-18-0x0000019637CE0000-0x0000019637CE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/504-19-0x0000019637CE0000-0x0000019637CE1000-memory.dmp

              Filesize

              4KB

              Download