Malware Analysis Report

2024-10-24 21:56

Sample ID 240530-r22maada64
Target Screenshot 2024-05-23 14.42.55.png
SHA256 f78205571f19fe9ed919c9b68aed85d2efe13f236ed66e704c579ad1aea9d0bc
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

f78205571f19fe9ed919c9b68aed85d2efe13f236ed66e704c579ad1aea9d0bc

Threat Level: Likely benign

The file Screenshot 2024-05-23 14.42.55.png was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 14:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 14:42

Reported

2024-06-06 14:58

Platform

win10-20240404-en

Max time kernel

315s

Max time network

875s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 14:42

Reported

2024-06-06 15:00

Platform

win7-20240221-en

Max time kernel

839s

Max time network

845s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-30 14:42

Reported

2024-06-06 15:02

Platform

win10v2004-20240508-en

Max time kernel

447s

Max time network

1165s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-30 14:42

Reported

2024-06-06 15:02

Platform

win11-20240508-en

Max time kernel

449s

Max time network

1168s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 14.42.55.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-30 14:42

Reported

2024-06-06 15:02

Platform

macos-20240410-en

Max time kernel

354s

Max time network

958s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Screenshot 2024-05-23 14.42.55.png"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Screenshot 2024-05-23 14.42.55.png"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Screenshot 2024-05-23 14.42.55.png"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Screenshot 2024-05-23 14.42.55.png]

/bin/zsh

[/bin/zsh -c /Users/run/Screenshot 2024-05-23 14.42.55.png]

/Users/run/Screenshot

[/Users/run/Screenshot 2024-05-23 14.42.55.png]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.diagnosticd]

/usr/libexec/diagnosticd

[/usr/libexec/diagnosticd]

Network

Country Destination Domain Proto
US 151.101.67.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp
GB 17.57.146.10:5223 tcp
US 8.8.8.8:53 12-courier.push.apple.com udp
GB 17.57.146.13:5223 12-courier.push.apple.com tcp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

N/A