Malware Analysis Report

2024-09-11 05:31

Sample ID 240622-e3c9vsxhmg
Target PCToaster.zip
SHA256 839e2e8904c5d91ab82e848a0f5ee93de32cf1d8539a9be8676d77c948e8ad14
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

839e2e8904c5d91ab82e848a0f5ee93de32cf1d8539a9be8676d77c948e8ad14

Threat Level: Likely malicious

The file PCToaster.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Enumerates connected drives

Unsigned PE

Modifies Internet Explorer settings

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-22 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 04:27

Reported

2024-06-22 04:29

Platform

win10-20240404-en

Max time kernel

106s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\I: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\N: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\P: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\U: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\M: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\J: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\K: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\L: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\O: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\B: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\S: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\W: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\R: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\T: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\X: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Y: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\A: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Q: C:\Windows\SYSTEM32\mountvol.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4864 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4376 wrote to memory of 1676 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 4376 wrote to memory of 1676 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 4376 wrote to memory of 4468 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 4376 wrote to memory of 4468 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 4376 wrote to memory of 2628 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\diskpart.exe
PID 4376 wrote to memory of 2628 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\diskpart.exe
PID 4376 wrote to memory of 340 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 4376 wrote to memory of 340 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 4376 wrote to memory of 1892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 4376 wrote to memory of 1892 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 4376 wrote to memory of 1664 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4376 wrote to memory of 1664 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4376 wrote to memory of 1756 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1756 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5012 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5012 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4916 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4916 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4876 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4876 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4120 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4120 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 3056 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 3056 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4156 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4156 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 588 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 588 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4152 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4152 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4560 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4560 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 932 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 932 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1632 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1632 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2156 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2156 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4992 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4992 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2912 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2912 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2520 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2520 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1336 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1336 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2648 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 2648 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4400 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 4400 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5112 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5112 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 1708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5100 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 5100 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 3472 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 3472 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 900 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 4376 wrote to memory of 900 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\SYSTEM32\diskpart.exe

diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Boot /r

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Recovery /r

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InvokeExpand.ps1xml

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ConvertRead.jfif" /ForceBootstrapPaint3D

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca

C:\Windows\SYSTEM32\taskkill.exe

taskkill /im lsass.exe /f

C:\Windows\SYSTEM32\mountvol.exe

mountvol A: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol B: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol D: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol E: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol F: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol G: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol H: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol I: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol J: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol K: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol L: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol M: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol N: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol O: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol P: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Q: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol R: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol S: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol T: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol U: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol V: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol W: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol X: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Y: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Z: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol C: /d

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/4864-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4376-3-0x0000021643DA0000-0x0000021644010000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 485274756c6875cbf4df8e23b7a7f59a
SHA1 88f1c3031a1a100d0e3de1d97d1b0a930f4c4146
SHA256 1f511c98c93f17f3be1b6ab736bf192fcd44f179e2fdd572804788b8ee28fade
SHA512 920ea968cc1755f765dd760c5de3285c72b18e2df86aa44339329d72f3c6e4ee571ecfc01f99ba88da656e665502d9aa2407677960048150ab72d3de6787b184

C:\Users\Admin\AppData\Local\Temp\scr.txt

MD5 ad1869d6f0b2b809394605d3e73eeb74
SHA1 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6
SHA256 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394
SHA512 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

memory/4376-24-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-27-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-39-0x00000216425B0000-0x00000216425B1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

MD5 d27af43087dd67c41128ea2ba8f38337
SHA1 f00193aa67f6e65ccb67325d5347ccaa4a528df3
SHA256 c3c76401943150b82d5c671f5544f333d339f9b155a831b9f1912c2ed5344e2a
SHA512 20df176d72208b163c0c9fa5aa505d6a9ba5033ad236d60b9dcfa7ac984491791c8fef576b07c37bb03f304640682c73e30716b58cd8920dc62f744c9f0127ad

memory/4376-130-0x0000021643DA0000-0x0000021644010000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

MD5 404a3ec24e3ebf45be65e77f75990825
SHA1 1e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256 cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512 a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

memory/4376-148-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-167-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-180-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-185-0x00000216425B0000-0x00000216425B1000-memory.dmp

memory/4376-188-0x00000216425B0000-0x00000216425B1000-memory.dmp