2c26ad06d4a70be599c2867dd6e21b89d7e1ebcde322daf61bfaa658084a48b2

General

Target

1.jpg
Size

67KB
MD5

b3c292a4bb6d0d2c8c4761f5d6241901
SHA1

ed59e2698aa5fb31303d170bc85ab5b726799f74
SHA256

2c26ad06d4a70be599c2867dd6e21b89d7e1ebcde322daf61bfaa658084a48b2
SHA512

b73781ea3f6191a68e5163e1307640286974d0431438f596fa2d17cacf2878e2f04c2fedc7b7b49727ca17103f746b2fa8f0e5f51fd4e3e95ee777c410251265
SSDEEP

1536:/81D2Jpso5v9V8sVbUrvAkz4DlvgHZZdaeSii01E2K5dqdHEBDl:iKjn5v9WWbCvAkH5rx1EZ5dWHET

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
200	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4256	mspaint.exe
4256	mspaint.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe
200	PaintStudio.View.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	200	PaintStudio.View.exe
Token: SeDebugPrivilege	200	PaintStudio.View.exe
Token: SeDebugPrivilege	200	PaintStudio.View.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4256	mspaint.exe
200	PaintStudio.View.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1.jpg
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:796

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\1.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
230B

MD5
1fda194bfd3ffd1ebdbaa7cafa91656f

SHA1
b752825886dca5698626243934d28f176b266cf0

SHA256
35135a12b7dc2070f315fe07469a255dd9fe684e48ddbdc7d5da9fb66a896b94

SHA512
c8b1c6bf249e75c87f2e66b705f06db6445caaeae687adbe47321b8c7c8c3a268f2e862f0a0e42f8b090c4258a65d8d4dec4a74aa93cd448ab2f2500933c0bca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
229B

MD5
59259903dbadb28e7fbea661943e6d3e

SHA1
91ab0d55b2e2f154e40d3bf3c16cb81cdec2fdd0

SHA256
2cf77672958fb786f431d607fa4a47df8bcfec9595cbe791a15ede433ac35e67

SHA512
45af5c740e573a819fcf383c0c682b0094b90d7b3aacadc3981be408a947d0752ca19f3dce3be1f9457855dcccb4f44df243b3010a2a0307d2a5b30b15090a6e

Download Submit

Analysis

Sharing