Analysis Overview
SHA256
94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7
Threat Level: Likely malicious
The file clippy.png was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Enumerates physical storage devices
Runs regedit.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 17:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 17:16
Reported
2024-05-03 17:19
Platform
win7-20240221-en
Max time kernel
129s
Max time network
120s
Command Line
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust | C:\Windows\regedit.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\EUDC\932 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Setup\CreatedLinks | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000200 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Printers\DevModes2 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\SortOrder\Language | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SoundSentry | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\International | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\Schemes | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ShowSounds | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Keyboard Layout | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Setup | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Printers\DevModePerUser | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Colors | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Cryptography | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SYSTEM | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\IETld | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\International | C:\Windows\System32\vds.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes | C:\Windows\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\clippy.png
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\reg.exe
reg delete HKCC /f
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\system32\mountvol.exe
mountvol /?
C:\Windows\system32\mountvol.exe
mountvol D:\ /d
C:\Windows\system32\mountvol.exe
mountvol F /d
C:\Windows\system32\mountvol.exe
mountvol f:\ /d
C:\Windows\system32\diskpart.exe
diskpart
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
Network
Files
memory/1756-0-0x0000000000420000-0x0000000000421000-memory.dmp