Malware Analysis Report

2024-09-09 19:16

Sample ID 240614-tb3g1a1crp
Target Screenshot 2024-06-08 1.10.46 PM.png
SHA256 600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292
Tags
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292

Threat Level: Likely benign

The file Screenshot 2024-06-08 1.10.46 PM.png was found to be: Likely benign.

Malicious Activity Summary


Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:53

Reported

2024-06-14 15:56

Platform

win11-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-08 1.10.46 PM.png"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-08 1.10.46 PM.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
GB 184.28.176.65:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.28.176.48:443 tcp
GB 184.28.176.48:443 tcp
GB 184.28.176.48:443 tcp
GB 184.28.176.49:443 tcp
GB 184.28.176.49:443 tcp
GB 184.28.176.49:443 tcp
GB 184.28.176.49:443 tcp
GB 184.28.176.49:443 tcp
GB 184.28.176.58:443 tcp
GB 184.28.176.58:443 tcp
GB 184.28.176.58:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.28.176.58:443 tcp
GB 184.28.176.58:443 tcp
GB 184.28.176.58:443 tcp
GB 184.28.176.59:443 tcp
GB 184.28.176.59:443 tcp
GB 184.28.176.59:443 tcp
GB 184.28.176.59:443 tcp
GB 184.28.176.59:443 tcp
GB 184.28.176.59:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 184.28.176.64:443 tcp
GB 184.28.176.64:443 tcp
GB 184.28.176.64:443 tcp
GB 184.28.176.64:443 tcp
GB 184.28.176.64:443 tcp
GB 184.28.176.64:443 tcp
GB 184.28.176.42:443 tcp
GB 184.28.176.42:443 tcp
GB 184.28.176.42:443 tcp
GB 184.28.176.42:443 tcp
GB 184.28.176.56:443 tcp
GB 184.28.176.56:443 tcp
GB 184.28.176.56:443 tcp
GB 184.28.176.56:443 tcp
GB 184.28.176.43:443 tcp
GB 184.28.176.43:443 tcp
GB 184.28.176.43:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-14.1554.2112.1.odl

MD5 24888633247ffce416ffc2b35852210d
SHA1 3a2a46e1d5df38f839fb02782902a481ebe07aa3
SHA256 43cbd43f3fd0910cb8aed3fe74c3bbf06fd384a24d19ff8f569b602b5c9221e3
SHA512 dc7351135cbbb3534aea740dd06ccee14882b013ce4e643dee5aa8a433b806b2769d47abf589944fa6dc63ef4f6e04d47f0f6216ba5b17121ea36898eeda2542

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 df46eb1fe5d54a0521d9965203a4a9da
SHA1 e977aae1bb82f3d57267ead3b91df3d82d6d50c6
SHA256 6076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d
SHA512 5bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 b11a15baac2a74995ae6f353e63723ad
SHA1 a64d549fa00962953eede6bb877caa60862cfbf3
SHA256 69e2381681ce85f320660228583f2ed1604b1dbfa90a69dde1a4853aca900778
SHA512 3406cdb89d03d3dc114637d8469f265d25857538e52f6f76ebd6272d4c79d51fbbb6c711e04605fb9ed1875ef870cd0ef5f18cf8accc5ace2a3ead72a3dfb8b5