Malware Analysis Report

2025-01-18 22:28

Sample ID 240503-vtcjzabf7t
Target clippy.png
SHA256 94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7

Threat Level: Likely malicious

The file clippy.png was found to be: Likely malicious.

Malicious Activity Summary


Manipulates Digital Signatures

Enumerates physical storage devices

Runs regedit.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 17:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 17:16

Reported

2024-05-03 17:19

Platform

win7-20240221-en

Max time kernel

129s

Max time network

120s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\clippy.png

Signatures

Manipulates Digital Signatures

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust C:\Windows\regedit.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\EUDC\932 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Setup\CreatedLinks C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000200 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Printers\DevModes2 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\SortOrder\Language C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SoundSentry C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\Schemes C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ShowSounds C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Keyboard Layout C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Setup C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Printers\DevModePerUser C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Colors C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Cursors C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cryptography C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SYSTEM C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\IETld C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Windows\System32\vds.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2556 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2556 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mountvol.exe
PID 2556 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 2556 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe
PID 2556 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\diskpart.exe

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\clippy.png

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

reg delete HKCC /f

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\system32\mountvol.exe

mountvol /?

C:\Windows\system32\mountvol.exe

mountvol D:\ /d

C:\Windows\system32\mountvol.exe

mountvol F /d

C:\Windows\system32\mountvol.exe

mountvol f:\ /d

C:\Windows\system32\diskpart.exe

diskpart

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

N/A

Files

memory/1756-0-0x0000000000420000-0x0000000000421000-memory.dmp