Resubmissions
19/09/2023, 08:52
230919-ks2glaaa53 119/09/2023, 08:12
230919-j37kxshg95 519/09/2023, 08:09
230919-j2f2ksfg2z 5Analysis
-
max time kernel
220s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2023, 08:12
Static task
static1
Behavioral task
behavioral1
Sample
.htm
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
.htm
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
BRUJNRYYVN.jpg
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
BRUJNRYYVN.jpg
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
email-html-1.html
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
email-html-1.html
Resource
win10v2004-20230915-en
General
-
Target
BRUJNRYYVN.jpg
-
Size
118KB
-
MD5
0acab29ac4d307e2935acd85f318a8ce
-
SHA1
310b1aef44210ae56634466ba377ef9b739616e3
-
SHA256
7fc5ac264fe3b74992fa65172d13077593b78ed1b0d69851714205e1eb397863
-
SHA512
4e16a3230a88874145c68e6f80b85ee4038676c8e31efd9409b6a5115ca186f8ed9fc1ecca17bc036e6ed2b194e791b881f3830f87aa8d25e5eaf12a55ff249d
-
SSDEEP
3072:TYYYYYAXH70b3Fd4ppYu/BcHsKkkkkkkkkkkkkkkkkiyh3ZGvmT:TYYYYYAXH4IpprBcHsIh3ZGvmT
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4628 mspaint.exe 4628 mspaint.exe 1200 mspaint.exe 1200 mspaint.exe 748 mspaint.exe 748 mspaint.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4628 mspaint.exe 1200 mspaint.exe 2692 OpenWith.exe 2932 OpenWith.exe 4148 OpenWith.exe 4148 OpenWith.exe 4148 OpenWith.exe 748 mspaint.exe 748 mspaint.exe 748 mspaint.exe 748 mspaint.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4148 wrote to memory of 748 4148 OpenWith.exe 100 PID 4148 wrote to memory of 748 4148 OpenWith.exe 100
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg1⤵PID:4176
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5032
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.htm1⤵PID:1656
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\email-html-1.txt1⤵PID:3764
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:504
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2692
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2932
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\BRUJNRYYVN.jpg"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:1552