5722bf148cdb1bee9d2ed5feb01154f518f738d12e1b2336d1c68010e67390d8

Analysis

max time kernel
638s
max time network
616s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_1035.jpg
Size

3.3MB
MD5

fc200eb79494abd8d92871f381e5afa6
SHA1

6b43576b6189ba8e10e475c2c495371a46c85b2b
SHA256

5722bf148cdb1bee9d2ed5feb01154f518f738d12e1b2336d1c68010e67390d8
SHA512

1739aa037e98255d6b5d6699e1ab1ab9a43a825af4d6a7aa9414eb201ffc86f3e70275e2802a8ffecdb691c8fe4139246c3c9cc386027d925224077aa7875472
SSDEEP

49152:w7MHu8HqMY181ORb4O/1OEeaKXi4M8NQekCrpuR4Q2j3cv190Qwcb6o6f/DaXK:S8KmEFvLKXi4TRvrpuOV3i190xcO7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTES = "C:\\Windows\\system32\\StikyNot.exe"	StikyNot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2292	ehshell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	2644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2644	AUDIODG.EXE
Token: 33	2644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2644	AUDIODG.EXE
Token: SeDebugPrivilege	2292	ehshell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1988	rundll32.exe
1988	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\IMG_1035.jpg
1⤵
- Suspicious use of FindShellTrayWindow
PID:1988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2320

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1016

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\StikyNot.exe
"C:\Windows\system32\StikyNot.exe"
1⤵
- Adds Run key to start application
PID:2236

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ApproveSuspend.odt

Filesize
732KB

MD5
f31343e8e7eb277f354741c2ba6aa315

SHA1
028fb595b42d06de1d1a4579b0ba59a6d97ed7ad

SHA256
19ffd14e6e945754a17947cbb172bef1ee18ae684639124a1dadf841f9e9c6eb

SHA512
993b42a7af1dd9112287f0e4ffacb217389216fcdf5a646e14f71fefdca9d2913ecb28ac9f491855af195a4f54869f5c18292a2784217d669aa34403bea6b18f

Download Submit
C:\Users\Admin\Desktop\CompareConnect.mov

Filesize
591KB

MD5
ba84e0bdc0b1ecd52dc3000d16664861

SHA1
cd7af84cd6e1788b9a9797f5b0608f24defc24e4

SHA256
397f3f5af4e8ddba7584e441f2064338af684cff234a0a13e4137e70cb889047

SHA512
254d008009278ddfe488f9df7e751ea6bec60017ea5f5990bafa1a854aaa45ccb93a63e2cd3de7f444c092777081f6c137fa13c0a8c968e0e08a6dc4a21562ec

Download Submit
C:\Users\Admin\Desktop\CompareExpand.lock

Filesize
366KB

MD5
a2ad093ea139949fd67aee9748766e0c

SHA1
ad47a98fa9d3465e64b31e898b46ee516c9ba2f4

SHA256
134584a7f7b3d5e7b7bf9cff794cd9a51a1c0c1ba8ff6a2d99a7e152b8efb540

SHA512
8fb71560fcf1f56361eba1c26ed163768321637f37cad6ba668ece8c9f74fadf5ccf4db62532282c8bc61703a434a6c2b2d301a8754f0cad338428b099c781e4

Download Submit
C:\Users\Admin\Desktop\ConnectConvertTo.dwfx

Filesize
788KB

MD5
28d212454300c9c574ad15960b4ae472

SHA1
95338c7796723d388a9d02935557a588bf40c48c

SHA256
7d196888889494fab37ff841dad4e41a5f8c4148700f8e81631d959712a75af2

SHA512
acdb28f6024c9df671c912b37c106c0c061562fbcbbf83df091db07245b4a16642131ed0a5f132ca75141ca951416719b16d3ab2d0d60717c830486f2ea588d1

Download Submit
C:\Users\Admin\Desktop\DenyRestart.dot

Filesize
535KB

MD5
bd71461724eebca01c45814ed0a58f08

SHA1
90736d383a0bc05fa20f51d5dec29ea6b38f7ec9

SHA256
d31dd8d2a22c8e80601ca8fce76e5f160e19ff51da55b1682120473d7b35e772

SHA512
30f4ee3eb57489c1e6d58d1ed8612f571bf59b11d511fb850e0e97597f298c397bafed8a371532180a25cecf64c27d37bc587cfdcf774f3f37b4b4549576f4bd

Download Submit
C:\Users\Admin\Desktop\ExpandResolve.mp4

Filesize
760KB

MD5
2d5f908bf3657c85c9bad675c8e9f598

SHA1
b1460de8a7343b1c5499453cb61a070ea93c31a4

SHA256
1c91fe09276fc251d56817851875cb5fb4fd769bb3fdaa96ed920d58452c570d

SHA512
2f546043063c48339e77d9e7391cbc0826b4fef7a60bc61ed5fcf7d6b9c53640fe871ba5cbdd3371a37ac8911e06fa7db070bf163097a6dcb6f4667f66b079d7

Download Submit
C:\Users\Admin\Desktop\FindRequest.3g2

Filesize
1.1MB

MD5
5800a1aa7d74750db19723951a971d58

SHA1
d3c1e608fbf3b6e076bca360a92981c708ce5427

SHA256
0bfb54021fa5b5c8f9d8b8dc70e1fa0fc191780c89e036bba8cde32ee600aad8

SHA512
3ab641eca06a4eb3c9ad24b6f4fafe2a4a9111be19e42f858fffd89b20bb4797602c15846734ba7922ab998f08eec98262d0b0ce47067cd8b2728afbaff02bef

Download Submit
C:\Users\Admin\Desktop\HideCheckpoint.xlsx

Filesize
10KB

MD5
3bcf9142882d2003c13bef9c47281ed5

SHA1
36ee7b32abd91d40f67ee031f0cf050bf4dbbe5c

SHA256
1ed9e210e3da446ba84feaf1cb7d8f78ff85d3841e9ad42df3ed0fb766644750

SHA512
53b1d34e529b97bd5492bea8a3abd551768eb8bd32c165fa18a96ac49df1e0fa8a8f9c112c59d54d35e600ba271434499f9d5d46e58ec959c20978f33f81ff52

Download Submit
C:\Users\Admin\Desktop\MergeUninstall.rm

Filesize
704KB

MD5
7c258ca70149c50629f3f23084403d1d

SHA1
0b9f47c21bcddfd23f73635206deb57033f833b4

SHA256
2569b74a74ed1b8c956f54e989d5f0948eb7fe337798ba60c862285577c46979

SHA512
bbb14abfb8e969fbdcf33c43b3a58b372b8244185d455604eab26863eb3390a78ce05520937718bcb0b3773e0040b02ccb2ad9acd7c65aac176f10ddffa0a678

Download Submit
C:\Users\Admin\Desktop\MountShow.ogg

Filesize
281KB

MD5
6b7f7998cb719cfbfe60ad75909e733a

SHA1
e6c1b48f02a4015f89b5733e68e891c473e37ce8

SHA256
56d741a0b6379342cb0ea28f9418c5b974f89bed883d1a98f085041241dbcb96

SHA512
a4a35e669b89c83a74247e662b6b7f6b9109791dc9b0e69b999dc9933e4b23ef726f229ab13b11ff919d9635b42fdae908e5d60dec1c9e85dc051d7801f0916b

Download Submit
C:\Users\Admin\Desktop\PushRequest.wma

Filesize
394KB

MD5
4a3cc17000200f02579cf2c57c76b07f

SHA1
d8814dca3413192abc98343fc2838adefadeb067

SHA256
45e1666e515f1ef396c18b185ed165db23dcb32d0487f2dc642698ea9df47fbf

SHA512
365d8026ff41d169ca0d5264e296d22646e050233e24f72dc24173789f4669994d852d9540815b186e66daa065dfcef5638bb98b1e7c40a3a17cc56c9af4a27f

Download Submit
C:\Users\Admin\Desktop\Recycle.lnk

Filesize
359B

MD5
e91e2e19d333d2869ecd4e84dadce0b1

SHA1
4cc8f4571869f83e2c0ebfac3dd17f0c51654bd6

SHA256
1bae20e282456a5df55249f23d3c89430ed079c5e0f25d16976128f303db9e61

SHA512
b540108474cd92140d824e7aedc50b24fc30bcd9d5a87ac9c5f6af11b1079d518006c1942a156da093f3e27481cb5182d60118c4e984f099a38cff68fbb59867

Download Submit
C:\Users\Admin\Desktop\RenameClear.vdx

Filesize
506KB

MD5
5c37add4b29f2cfaa9ec91c7693c9cbc

SHA1
a16c62ad70caf2a39ac4efdf0735e2eaa419ec4a

SHA256
f46f9f4b44ad754e2e2cf151f951b6c24d2751d1f4de10cfd3f8540db116c8cd

SHA512
e61dd2e49baaa66589ae59c87b3025d1870f0dc778b47ebe26d1e45e851ec92c3c49fe2b2e4a78e19272e0d11d2a1970fb94b94f23eb47d526c243ea6383c5a5

Download Submit
C:\Users\Admin\Desktop\RequestBackup.xml

Filesize
450KB

MD5
864202b35e49bb5bafd02b9f9f25de20

SHA1
f8302a7e83e7c9a40ce39411f5480dcdeab337e3

SHA256
fd9ebc9a3f1d149e75b923f530142a0ed3fbee87bf7c9dcf4fabe9d9455baa44

SHA512
60e454e6ab3d8c5ac000503eeff28138e230687958f506a158ed8c31eb84a6536c359faa161798cd5bd4480a74d23795bb0a5a6d56cdbe37153ce020e91e7629

Download Submit
C:\Users\Admin\Desktop\SelectPush.avi

Filesize
478KB

MD5
8680a8bde8686495c6dbc5bbf66736f4

SHA1
efcad6da92698955b0617b39372da0f237613561

SHA256
b4800c93970b751d11d6bbc85cc35afde1e195c8d2fbc781177c886a18429829

SHA512
5787517a6f3411ea56564afe80936bedc673ab651fdf92b527c7468ba1f0b22025af8cb774ca977559ddaf9f753afc24a4b94661bfb66d04b8c14aa75b0754e1

Download Submit
C:\Users\Admin\Desktop\SkipClear.WTV

Filesize
563KB

MD5
437ba137064e5e03f48363220efebb9c

SHA1
67b0e802b695a16afd8954b3bf45d6f68e22335a

SHA256
6b2bb4ae875e7d8ef4d9c9371c4170aaa056056fd18390442412d97cfa5afa02

SHA512
df5c830a2ffa48f5985c1e645d8ad8305c43abfee4d21358bdbdbeeb08ace5f09a87a2cb9cfa075ca4fce42e83f8dc79075fa4647f09bc502db4291c76d99eae

Download Submit
C:\Users\Admin\Desktop\SkipConfirm.3gp2

Filesize
309KB

MD5
1553f74d983987992ab50866c221f1f4

SHA1
309f75fac008807a09c52dfce9a575871221ded6

SHA256
3e86a18e4372db2590235f2d5b54f9d208557d4369f598fa86e77b61b22f0b1a

SHA512
ba80b49f43e4a96dd8ab1311d52f3a9cb925547f5643649c121e2756631a810fdf50f8319829f9c9bcdad18a3f8bcf1b810151596ce6d7701e2c9c3779665cc7

Download Submit
C:\Users\Admin\Desktop\SkipImport.vssx

Filesize
647KB

MD5
42e179c864dad40a846cba84acf7c1f0

SHA1
39378d1677c1b8732ae087a701d145ef7590547c

SHA256
2ef24487b67624d0279de699ad4286ec59542333ebacb3d224bfbea2e779d61c

SHA512
8ffc2b349974402d1c1419fb6493c8ff4ecea50217e202086f569f2a261dd3f9b8eb5396241572610c0f9eca54125181548723bafea6e94c3226ace564ee9732

Download Submit
C:\Users\Admin\Desktop\SkipLock.m4a

Filesize
422KB

MD5
eab2a2d7495596b5a018c84596596b9c

SHA1
e6e5605a6dc428f4aea7394a7b9bf60f2e1f54c6

SHA256
b392345f4083f1f7b6cd0ff044069268268eb313f35a15a2069427b428de4a74

SHA512
f75ef883f791ca6a5b151234a43b2519b660cdc569e075195daad4282ab991d004b3787291a8f6ff2b8c295945e3a56ed62e7dfd1c7fd55bcdfb379df6af6cb0

Download Submit
C:\Users\Admin\Desktop\TraceSearch.docm

Filesize
675KB

MD5
355c0bfa0b9bbdafed56e968f7ac38a3

SHA1
ec18c8ee1731c28e0680a9acc369673b172a806a

SHA256
c2a5d6803ae05c9be6eec3d35d8f34081d06f7baceb9c4aca9ec984bf4047ca1

SHA512
4d1eb9193c7468e32495536120480a5359683a3b558180764dd186eff7b1da83b3bd6234732607cdc0ad474c8aba716053c29a147210fcfd8c789608e27e41db

Download Submit
C:\Users\Admin\Desktop\UnlockOpen.sys

Filesize
337KB

MD5
4fca4a6ebcc3d5a26a9f68db30e22563

SHA1
8c19469e7391596d6befce1d91ce2025edb0ae4c

SHA256
e01875c7bd53a2c3dcbe461e290cf6b5238af9cae125a8fe273bba97f5d88c44

SHA512
67ab19d432514981238bb53622f957db26299945114a103d0b15bc97f0a838e2598029745b6ac3f23c8eb95b97fa9e34390022eeb0f1ec22a31e7b2943f0217c

Download Submit
C:\Users\Admin\Desktop\UpdateMove.pptm

Filesize
619KB

MD5
416b73072b666fbb599530e23628dd4f

SHA1
6d3c3ebe4e153754c7cb7b5573a7c285392f90f9

SHA256
4bb2e76784192b8b6655714efc6a1ec47a8be5ee56e40977903c1e1e6647727a

SHA512
1105c1c97bfd4b546de578ecdd5273b9c915ae0ad281ad18e090e1492448e9f985e1a3b203cf76703094ca889c801bc26a9577d27fbe22a3fa305de6ff284884

Download Submit
memory/1988-10-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1988-0-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2292-24-0x000000001DFB0000-0x000000001E5B8000-memory.dmp

Filesize
6.0MB

Download
memory/2292-25-0x000000001E5C0000-0x000000001E744000-memory.dmp

Filesize
1.5MB

Download
memory/2292-26-0x000000001EF30000-0x000000001EFCE000-memory.dmp

Filesize
632KB

Download
memory/2292-27-0x000000001EFD0000-0x000000001F088000-memory.dmp

Filesize
736KB

Download
memory/2292-29-0x000000001D290000-0x000000001D2C7000-memory.dmp

Filesize
220KB

Download
memory/2292-31-0x000000001B870000-0x000000001B87A000-memory.dmp

Filesize
40KB

Download
memory/2292-30-0x000000001B870000-0x000000001B87A000-memory.dmp

Filesize
40KB

Download