Overview

overview

7

Static

static

3

PhotoScape X Pro.exe

windows7-x64

7

PhotoScape X Pro.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PhotoScape X Pro.exe

  • Size

    387.8MB

  • MD5

    09d7da749eaf057795b950de3e8611ff

  • SHA1

    7a123df69f82869a42209d60fb1946eb022e6ef7

  • SHA256

    da9b3b78ec4c285fa15714bec19e9a631b4e7a366d512b8613996cacba990910

  • SHA512

    436b6ce979198654405a2595f7de69ecb450ea08335ac9e1141254c61060fd7292dfabd9fed3e986bbfb592f5296d7eb2f3cc86dee927f552292612998928ad8

  • SSDEEP

    12582912:bwfOGvYGsRIdh6LWY2ykCJ0V6k4+ObpJf:bw2IYGNdhQWao69xff

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 43 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 57 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\PhotoScape X Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\PhotoScape X Pro.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Mooii Tech\PhotoScape X Pro 4.2.3\install\PhotoScape X Pro.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\PhotoScape X Pro.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1726120521 "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:4472
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 944E2DD1763C730CD4EFBF81552F33F1 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5048
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 048A9088C94A75C34B8EA409D1F9280D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4656
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2344
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 746F5F1174E5560F65A2139B86B9533A
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2732
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3900
    • C:\Program Files\PhotoScape X Pro\PhotoScapeXPro.exe
      "C:\Program Files\PhotoScape X Pro\PhotoScapeXPro.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e583aa4.rbs
      Filesize

      56KB

      MD5

      e3389188996266716f5c9c7dcd1580d7

      SHA1

      74db1766343bf3fd3569dcd2c8e623176d3bf953

      SHA256

      dda61975ddcfacdb3a2e45ea28d0ec80928098085ce7a77394413d826d6a10c4

      SHA512

      cbfd09a4325f58c47b1594bedc85c4de942e183f2f62230cc6bbb543b717acf63d418231812bbf5cec8cc775df412c5fa81aa01f30a023a3087dc6599a07ce23

      Download Submit

    • C:\Program Files\PhotoScape X Pro\OpenCL.dll
      Filesize

      79KB

      MD5

      750143e9eafe0058bb60487e5a455934

      SHA1

      c354e102a62aee9e27af859b379ac86ecce8e7be

      SHA256

      ba5d2473b48f47d9a6bede7737a8edee7ac0eb7b5fec0dffd7b3e893b0aa5fbb

      SHA512

      79d3754762bdbb234a26cc6f5c2b337c95016937c1acdeb1889b1f9e26ec699076de0b7e6b247bb930933ab29051134ec51a046f78d5b48a224a659a4929893b

      Download Submit

    • C:\Program Files\PhotoScape X Pro\PhotoScapeXPro.exe
      Filesize

      17.7MB

      MD5

      d2637dde8b7908608ceebb397691bdbc

      SHA1

      8125fd768bbf2781eb4f47e00be24cec55b45b65

      SHA256

      fad97a2d716de8cffb0278c5520ee622b5f05d8a6da806733b7621b6a6c83a32

      SHA512

      93659c6e0acba793d447f1769c293b57cfd30208f672ca75212d312bebaf3bb733216ed5a66601e251470fcfced95883dbcdabeabc63184a03d7cb7eee790f44

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Core.dll
      Filesize

      5.9MB

      MD5

      92d549a235b8210507f833c3e0216815

      SHA1

      65809e2d079d391c36b1e92afba6d02fe9065cb5

      SHA256

      82ecd0ea08e6d4842ef51487a8390d7673653c91fb948250294de4d51dfc2cb7

      SHA512

      b93a4ba1c2f94c31b9cdca63e5e7a07370d66f109bf4d241e6b8977d42e30ef15df9e90b1b58570a91a25fa0675c7b87b8074a98a23345651945a60a114296d8

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Gui.dll
      Filesize

      6.2MB

      MD5

      93135c19df028abfdac7373a98154eff

      SHA1

      a3d1f5ad01851e1f0caef4ee54c79e9503adcfe2

      SHA256

      5dfd057a046d9febaf4c1d79d7dc974821f1d922c9c2637b5df0f20279092c2d

      SHA512

      d5f4badd0aac50b73e3622e0b7f49c40a0c63be85b4625de5e0bbf6484ecec80724bc56fb57cf895cef1900604ee82487d5a99aa9be3cae8cf1be553ed323936

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Multimedia.dll
      Filesize

      708KB

      MD5

      160990aa04062691e575626a8084347b

      SHA1

      41bbedb9037c6b08af2f603a757b50bfbb0d47c8

      SHA256

      df9fb646705ba4e3752d2cdcd90a2a39cf1833d41cd5f8439afd7e9875ae8908

      SHA512

      78b73fafc9b8b0be333639309a450491010f59c21a0568e51a5bb31f774be868d13ccfa98372950f5af7bb67de88c580f68151b221f4aebdabf8cbaf4a54b4db

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Network.dll
      Filesize

      1.3MB

      MD5

      6cd8227ef4d5152ef97cc56d21888e04

      SHA1

      54d0dd8f6bdcc4db3629ff6d60f9dbd5b3443edd

      SHA256

      3711a1054a27813b4d6857692799ff5b746ad50b248fd87e118cc59e89326bff

      SHA512

      551bb69f54e836571c705eb7d95f6d3e3a035be54815360acebc91dcab084a6dcb0dc99b06549b66186e34170594b25ee8280ee71480e0cb7745d08314110a00

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5OpenGL.dll
      Filesize

      320KB

      MD5

      f76b0e8a1fe771cb8097eb7b51040f22

      SHA1

      c92aae7f8768cc083f69ed8222e967388511ac9a

      SHA256

      86920564ee5ddfcf5768d3ebc4bc23078d3c964cb6d15b9125ef3c61cbde945b

      SHA512

      69e82a10f4a06ae10a50efe063ec27356d25847abae96d8e33a093a5f58142abf1b9be803a3469af9b8dfb1a0d01e8e7714ed9e4e0e6b0ac955026eff6f6b4f3

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Positioning.dll
      Filesize

      315KB

      MD5

      dbd4c8832ff7dd7f405d900ccbca2aa1

      SHA1

      c8c8d6a0e197d8aa0f0008f153ca736f56587d2c

      SHA256

      a5ab796ddf911e2df28f927a8663f507544cad7e1c26c6fdb59cb4f316c5196f

      SHA512

      f70fd48541bd88cdeedb94ea7df6d096eb996a7957ac22342c70ec6c118dcb86dc5d72316e3e10a2645384680ce96e49785ea5a658cdaf67513fb4b6a92fccd4

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5PrintSupport.dll
      Filesize

      316KB

      MD5

      7f0452271f1a6be55185c8ff11b0b77b

      SHA1

      735516bed5bde962503b12a2fe68a23c4b8d661a

      SHA256

      e5de0e5018145a3fd4b8c0264770241b329c8102f00eecf8091d6e7c0bb1f951

      SHA512

      76c7df1bc0b01bb401de7416647129986d20152832d820e5d7b768550a2a7ddc610924422697b71e4477effd56b39604e3bb581939a0eaa6bc4b38c53b210754

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Qml.dll
      Filesize

      3.8MB

      MD5

      45390fa57bb8c30570d229c1d8d1c73b

      SHA1

      e183dff1da6dd32e21d9c46ae1d984d78bc33540

      SHA256

      433f41b93dde8a1b23611d28f7dbbd07cc3039b136b700e2c7fd9e7ef6d9c0dc

      SHA512

      7b7ff7242697df69107516113edaa35df5a6cc726d425ba9797612c012e3d6939aaf99ceb574fdead8381ec3a8c07fae0892c70c4f5604ec4125c821f342acbf

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Quick.dll
      Filesize

      3.6MB

      MD5

      004e312a08becb87d25bf15747daeebc

      SHA1

      f97c1d86f9125eec088d53638a5c2d0951c99487

      SHA256

      a04a4d293191450879b365d00dc063e129bb4caffe2ccebf6e3079b4c538be91

      SHA512

      7508f1109f594899c6c269a9478f5ec19f33556ffa30902d14439a4a59d8d0c2211e1f12b575f395edf6d431c3d13692a21ad0028ba739cbbdd225b4bfb72b41

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5QuickWidgets.dll
      Filesize

      77KB

      MD5

      7494d78597a2f683c25a005609cb6453

      SHA1

      6b651da28cc4c22d86b2af3272e52bff0d2f1eec

      SHA256

      ae57a0b2e9ae3df31a22a372c7af061e653f72fdec3fb88306449911266ecdcb

      SHA512

      3107a1c8f91af86f320f14b8fdd4b8d31f9f16ba791f60fa1cfc0822372000e875d630c6cd77cd7b5ee4f16a54a39024a0d6a21226e3b0e35e0f31d90e0399bf

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Sql.dll
      Filesize

      206KB

      MD5

      344f782896f851931b310a35572bff81

      SHA1

      35405acfcf7097b465c51ea02044cd01e996afe9

      SHA256

      c59a7e43e3720cc26a8e3564ad26e75e72ee8134bf4a8a1d615e1c85797e02c7

      SHA512

      14648bdab0549fe08c43262f79acbbba2acb6dd9246f0f7bb48dff501300358dee1f2eaa76512e808a94ad0702758e5fd8deb935a76ce32fc013d0ddc8d2875e

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Svg.dll
      Filesize

      330KB

      MD5

      fb9283d9db2298e727ecf729aa8ad008

      SHA1

      7a3b1eaeeb2881ab32ca6a3348f1a7b2f9926675

      SHA256

      766af5fe70a85c862ced02fb34761dcb4d6b60e685f31b3bc963a731ce27674a

      SHA512

      c3f8813a77a642c2f198bdec2bb601f8f7dc38fbab0880543dcc0d10c8d57d6b13df7faf043334a098ad69c203830e74b0aaee41a66fc9cf53eca0d26e99b350

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5WebChannel.dll
      Filesize

      120KB

      MD5

      2bbc222f612e67ad199b2855fec62345

      SHA1

      3f4dc92bb74777952349e64e83789aad40caf1ab

      SHA256

      cfba487fc2009119295c5ad05e6c8cf9a3d6a9a72f48cb20ce2beba0bc353400

      SHA512

      908201b4f945fe5c4c04fa4197c0e718fc7bcddea379bd634946a2a4fbfd0a4e984fd26fd0573d84bd867a0e12a3261b19d9b770f05ff6574c924e9939d887a2

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5WebEngineWidgets.dll
      Filesize

      226KB

      MD5

      47223069528384e7e6b40d9116640f27

      SHA1

      4402b986b9a5d8592b940b74c51b2f30b76fbb9f

      SHA256

      8af31ae80b25f573136643aeeb97aa5bc2919279915e7a648b7be855f0f61d90

      SHA512

      cd82f9e1b06c84d4b266912d94b56198eee33070501832ca39205ba78caf440270b92daa51edd9332ca02aacacd52150cff5e52946267ac456cb253a74fb90d2

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Widgets.dll
      Filesize

      5.3MB

      MD5

      bf377ce7199eb0277133e38ae925812e

      SHA1

      dae0788bb124fcca274c775b93c8681b4ad0cf83

      SHA256

      19f8bff8cb5fa92a747f7f81640ddaa4dd8ed547c4051f6a79a2c148cd17131d

      SHA512

      bbc9f418b1fb826d114f72460ee261dc8c50726b7690e8f904d5431616b131f405bde9501f0757a33ae9d152d9b09fd8e300eb1cd95642c2e9e240d4d356cc70

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5WinExtras.dll
      Filesize

      458KB

      MD5

      8683440c734570e775978fb48ef34648

      SHA1

      a330873398a51e9869bc4e31b7b7bc47d101b2fc

      SHA256

      c8d2470eaf2f8560197fbeff314e6f12c0e91d2356c2cbda1a1b8310e85d92d8

      SHA512

      0e6c4da762a7e950d48023ddbfdbaf7202dff0a326a58a96b98894f2aa31ecb7100e5f67e5503f3ae99c38b88f125241558e999c38436202bbe7c7c0d35d4e89

      Download Submit

    • C:\Program Files\PhotoScape X Pro\Qt5Xml.dll
      Filesize

      192KB

      MD5

      b2ef17001a645c083e23307bc11b2d1a

      SHA1

      ab8b3baf7165ed0c4c6a1d2c211679b38470b920

      SHA256

      327a651444d2e415974f4d3a29e388d404d34e7369751ee1b0d9afabd0055495

      SHA512

      13b159f7d7894243fbe89b25ff9234571881368f21c1cb18f56ba4c15f304c527415f82ab86a9cc7e63b1a7bab1f2f0231039b0449dda8dae5509c6f05a6b705

      Download Submit

    • C:\Program Files\PhotoScape X Pro\platforms\qwindows.dll
      Filesize

      1.4MB

      MD5

      d00e8dba57dde95eac770c2c4e1e0ddc

      SHA1

      370e15e178052cac31f1a9a904e7b3aaedf367a4

      SHA256

      413f65f3dc3639564b927c357a733024a8f94a7847c0707694307cc5c3fc2f25

      SHA512

      d1ec3bd2eab6597012572cda6b61400bb74911a3c6ad6977ccff04e2ea8dce1f0ff11012bdc85dc53b60edf321355923fd99489a51eb5deb9d3b57e4f1b5a8ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIE6A8.tmp
      Filesize

      391KB

      MD5

      a32decee57c661563b038d4f324e2b42

      SHA1

      3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

      SHA256

      fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

      SHA512

      e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Mooii Tech\PhotoScape X Pro 4.2.3\install\PhotoScape X Pro.msi
      Filesize

      1.4MB

      MD5

      dcc3b3de1fbde4618f1e39616a6aeb09

      SHA1

      ecd05cc74d8df24af20eca6429ed69f5c611454f

      SHA256

      29ddb303dddb3a3b676a6354a2baee6302bea5c7bd6986c1ae5229df0e513978

      SHA512

      d8706a8bd473d96b9453769e9077811b2901b97aa440aca2d9eadb3957b353c32b65896fa9b36dddab4bc8291f997b24c12a6b23a766767caa848927a5ed5272

      Download Submit

    • C:\Windows\Installer\MSI3BDD.tmp
      Filesize

      569KB

      MD5

      0be7cdee6c5103c740539d18a94acbd0

      SHA1

      a364c342ff150f69b471b922c0d065630a0989bb

      SHA256

      41abe8eb54a1910e6fc97fcea4de37a67058b7527badae8f39fba3788c46de14

      SHA512

      f96ef5458fdc985501e0dca9cac3c912b3f2308be29eb8e6a305a3b02a3c61b129c4db2c98980b32fd01779566fa5173b2d841755d3cb30885e2f130e4ad6e2c

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      25251966570635eea25d89cdd17d910e

      SHA1

      43191795c1bf23f055df17e58ab9bf5d94e45a04

      SHA256

      2ae6523928bdd7d507fca57634b780b65c93db860369ff4ff9075d44d775c585

      SHA512

      fd7126cdbad95b75bb5c4d3c9e09d426e788fcd2bb9c72a84a16c52141f1e2387625d87b70231b83ea55342e06ff6b5dfc97425f51b6ee314af3f733380479e2

      Download Submit

    • \??\Volume{f930bed6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8f021ae3-8485-4820-b47f-cd6161b8896e}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      d9b87006e4d232be78194a662e654608

      SHA1

      effbc4388210657d109a5529b58249d07ef93c65

      SHA256

      186ab1ad6f334988646fb57c7dd64759c3606293d6923c20dd3b9aa14759ad51

      SHA512

      ff96e071ff213b7cbd3ba67717d36c83682f4c03c41f2b03103888941bc92bba2e0cfdc7ed9f7e53741fa86d0ba9b6968fa845c599ab91e13b92516c69359e4d

      Download Submit

    • memory/4468-623-0x00007FFE52E90000-0x00007FFE53236000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/4468-616-0x00007FFE543A0000-0x00007FFE548FA000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4468-622-0x00007FF62AC00000-0x00007FF62F24B000-memory.dmp

      Filesize

      70.3MB

      Download

    • memory/4468-624-0x00007FF62AC00000-0x00007FF62F24B000-memory.dmp

      Filesize

      70.3MB

      Download

    • memory/4468-617-0x00007FFE52E90000-0x00007FFE53236000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/4468-625-0x00007FF62AC00000-0x00007FF62F24B000-memory.dmp

      Filesize

      70.3MB

      Download