Malware Analysis Report

2024-10-18 22:20

Sample ID 240401-l3teeabd7s
Target 0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20
SHA256 0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20
Tags
qr link
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20

Threat Level: Likely benign

The file 0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20 was found to be: Likely benign.

Malicious Activity Summary

qr link

One or more HTTP URLs in qr code identified

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-01 10:03

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S

Network

N/A

Files

memory/1648-0-0x0000000000880000-0x000000000088C000-memory.dmp

memory/1648-1-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/1648-2-0x000000001AAF0000-0x000000001AB70000-memory.dmp

memory/1648-3-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

memory/1648-4-0x000000001AAF0000-0x000000001AB70000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4072-0-0x0000000000590000-0x000000000059C000-memory.dmp

memory/4072-1-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

memory/4072-2-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/4072-3-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp

memory/4072-4-0x00000000027C0000-0x00000000027D0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win7-20231129-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"

Network

N/A

Files

memory/2040-0-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"

Network

N/A

Files

memory/352-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/1204-0-0x0000000000BA0000-0x0000000000C86000-memory.dmp

memory/1204-1-0x00007FFC8C000000-0x00007FFC8CAC1000-memory.dmp

memory/1204-2-0x000000001B820000-0x000000001B830000-memory.dmp

memory/1204-8-0x00007FFC8C000000-0x00007FFC8CAC1000-memory.dmp

memory/1204-9-0x000000001B820000-0x000000001B830000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"

Network

N/A

Files

memory/2840-0-0x0000000000110000-0x0000000000130000-memory.dmp

memory/2840-1-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2840-2-0x000000001A880000-0x000000001A900000-memory.dmp

memory/2840-3-0x000000001A880000-0x000000001A900000-memory.dmp

memory/2840-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2840-5-0x000000001A880000-0x000000001A900000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4472-0-0x0000000000C20000-0x0000000000C40000-memory.dmp

memory/4472-1-0x00007FFB65290000-0x00007FFB65D51000-memory.dmp

memory/4472-2-0x000000001B990000-0x000000001B9A0000-memory.dmp

memory/4472-3-0x000000001B990000-0x000000001B9A0000-memory.dmp

memory/4472-4-0x000000001BA00000-0x000000001BBA9000-memory.dmp

memory/4472-5-0x00007FFB65290000-0x00007FFB65D51000-memory.dmp

memory/4472-7-0x000000001B990000-0x000000001B9A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

128s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

128s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-01 10:03

Reported

2024-04-01 10:06

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe

"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"

Network

N/A

Files

memory/1300-0-0x00000000011D0000-0x00000000012B6000-memory.dmp

memory/1300-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1300-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp

memory/1300-8-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/1300-9-0x000000001AE40000-0x000000001AEC0000-memory.dmp