fd8f8d2dffe33e9d31f059016bb18f5fc54df4bbbfab09b04227e149c99376aa

Resubmissions

11/07/2024, 08:08

240711-j1h5jsxcjl 7

11/07/2024, 08:04

240711-jysafaxbln 3

Analysis

max time kernel
32s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paint Tool SAI 2.0 (64bit)/blotmap/Bumpy.bmp
Size

257KB
MD5

3197f8ec3e4b8e3039560086c9dd9d54
SHA1

b83d291a7c64f2e64be3d26b9a7e22eb651c367d
SHA256

b15f4194190d91251cf4df7c552505ed003326580384ccbb48164bcc28048dad
SHA512

86f332d78d8750ea661aa6f8d32579776311bb5a5f3c70b13b0089549f5b746c1695ae4626840f992c19fc9e4dc58d3e5df070b43688687be0eddc8f0e3b1e40
SSDEEP

6144:HYwsdpawpvQRjGFWh/K/csKqko1B/mMF3gVZIKCJxrPNWSzkJ:I3hM/783RvrYJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	mspaint.exe
2136	mspaint.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2136	mspaint.exe
2136	mspaint.exe
2136	mspaint.exe
2136	mspaint.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 2136	3284	cmd.exe	83
PID 3284 wrote to memory of 2136	3284	cmd.exe	83

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Paint Tool SAI 2.0 (64bit)\blotmap\Bumpy.bmp"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Paint Tool SAI 2.0 (64bit)\blotmap\Bumpy.bmp"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads