Analysis Overview
SHA256
600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292
Threat Level: Likely benign
The file Screenshot 2024-06-08 1.10.46 PM.png was found to be: Likely benign.
Malicious Activity Summary
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 15:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 15:53
Reported
2024-06-14 15:56
Platform
win11-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-08 1.10.46 PM.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| GB | 184.28.176.65:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.28.176.48:443 | tcp | |
| GB | 184.28.176.48:443 | tcp | |
| GB | 184.28.176.48:443 | tcp | |
| GB | 184.28.176.49:443 | tcp | |
| GB | 184.28.176.49:443 | tcp | |
| GB | 184.28.176.49:443 | tcp | |
| GB | 184.28.176.49:443 | tcp | |
| GB | 184.28.176.49:443 | tcp | |
| GB | 184.28.176.58:443 | tcp | |
| GB | 184.28.176.58:443 | tcp | |
| GB | 184.28.176.58:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.28.176.58:443 | tcp | |
| GB | 184.28.176.58:443 | tcp | |
| GB | 184.28.176.58:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| GB | 184.28.176.59:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.64:443 | tcp | |
| GB | 184.28.176.42:443 | tcp | |
| GB | 184.28.176.42:443 | tcp | |
| GB | 184.28.176.42:443 | tcp | |
| GB | 184.28.176.42:443 | tcp | |
| GB | 184.28.176.56:443 | tcp | |
| GB | 184.28.176.56:443 | tcp | |
| GB | 184.28.176.56:443 | tcp | |
| GB | 184.28.176.56:443 | tcp | |
| GB | 184.28.176.43:443 | tcp | |
| GB | 184.28.176.43:443 | tcp | |
| GB | 184.28.176.43:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-14.1554.2112.1.odl
| MD5 | 24888633247ffce416ffc2b35852210d |
| SHA1 | 3a2a46e1d5df38f839fb02782902a481ebe07aa3 |
| SHA256 | 43cbd43f3fd0910cb8aed3fe74c3bbf06fd384a24d19ff8f569b602b5c9221e3 |
| SHA512 | dc7351135cbbb3534aea740dd06ccee14882b013ce4e643dee5aa8a433b806b2769d47abf589944fa6dc63ef4f6e04d47f0f6216ba5b17121ea36898eeda2542 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | df46eb1fe5d54a0521d9965203a4a9da |
| SHA1 | e977aae1bb82f3d57267ead3b91df3d82d6d50c6 |
| SHA256 | 6076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d |
| SHA512 | 5bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | b11a15baac2a74995ae6f353e63723ad |
| SHA1 | a64d549fa00962953eede6bb877caa60862cfbf3 |
| SHA256 | 69e2381681ce85f320660228583f2ed1604b1dbfa90a69dde1a4853aca900778 |
| SHA512 | 3406cdb89d03d3dc114637d8469f265d25857538e52f6f76ebd6272d4c79d51fbbb6c711e04605fb9ed1875ef870cd0ef5f18cf8accc5ace2a3ead72a3dfb8b5 |