8d62dd9dda1bb9e5f8f48f0d6eb03d04674d717ad89e1c79da9cfe48a5c02189

Resubmissions

10-12-2024 09:26

241210-lepfjsslgs 7

10-12-2024 04:21

241210-ey4agstlgy 10

Analysis

max time kernel
139s
max time network
105s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-12-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

image.png
Size

3.5MB
MD5

8dcb5ab2438ee1b7734ac77f5177fd7b
SHA1

b3c7014845ce8eda6747252a869d165938afdd6f
SHA256

8d62dd9dda1bb9e5f8f48f0d6eb03d04674d717ad89e1c79da9cfe48a5c02189
SHA512

c16f07ccd4c5203c114b495f1d0a85eef157b1b8b202cecd93917439cfa7eba7db5e64924c6b1d25c32eb8ca17c02678eba243686a8940bd4fde126d769f8f0e
SSDEEP

98304:w5mgUbqxQr5/JtQ/vazlXyy2bONC3dkThlDLXeycdESyJDDutM9T7UXF4r6e2:w5mRbqxQNQ/yz192/dkPreycVQPuS9Te

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	PnPUnattend.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	PnPUnattend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	PnPUnattend.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	mspaint.exe
320	mspaint.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	taskmgr.exe
Token: SeSystemProfilePrivilege	2684	taskmgr.exe
Token: SeCreateGlobalPrivilege	2684	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe
2684	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
320	mspaint.exe
320	mspaint.exe
320	mspaint.exe
320	mspaint.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 320	1520	cmd.exe	84
PID 1520 wrote to memory of 320	1520	cmd.exe	84

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\image.png
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\image.png"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Windows\System32\PnPUnattend.exe
"C:\Windows\System32\PnPUnattend.exe"
1⤵
- Drops file in Windows directory
PID:552

C:\Windows\System32\pnputil.exe
"C:\Windows\System32\pnputil.exe"
1⤵
PID:3140

C:\Windows\System32\PnPUnattend.exe
"C:\Windows\System32\PnPUnattend.exe"
1⤵
- Drops file in Windows directory
PID:1552

C:\Windows\System32\pnputil.exe
"C:\Windows\System32\pnputil.exe"
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
13KB

MD5
2fe8427cc30b4228fd688b8b1df18e4a

SHA1
2ddfeeb843a9c8752a5a1eb417284be718100a07

SHA256
80f5a074ce7def4767d61455d3142bf51005417c1cb59139b4e662d30776a14b

SHA512
4c333eff205bcb446398a7afae92a1d81a76934272f8ed554b8a5861f6ea62a04aee9f1f54cb1ba07b06c4c056088a35191160c02303706bf08561e0bc21e6f0

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
4680e6099ae28fec6686e04b3095c16a

SHA1
8fb132b126ca26b6900495a75128bd0f5e864433

SHA256
2e8fc3c238ef9fc9a47e2c247c2dfdd3952ce0a80c8113af66fc53926a831646

SHA512
00880d39b1ad2ae714d38581ec39ab0aae9de759f0390c5b73c4372a0865ffe55f732d54053d5b8a3937d56b776b77a561d965449f2ff1489019dd6596f85390

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
8758afc355ab22a5dfb70607ce9c7167

SHA1
003a78a53e1f54420f99397a49bd306d478b14e3

SHA256
cb647d71f3ce68a75d58581ffe238451843e8d068dfc992f4cc6b5a7a67f5f4d

SHA512
13beb71186d222c580a37d32ad2144a91dfe47546ef549064598cfc3cafd5ea5cc7475d428f3839a4a4d9c1671e3c883221653b85d08d3e0008ca05c45073b07

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
183B

MD5
94408c5296b1af4564939c209d0adc5b

SHA1
e6966ced81b11a3c56d0039bd86ae2533fb697da

SHA256
469921cd6bae1d2806a4ea6d99068e648bfcc6d3e96cd766b6285dfcc155f460

SHA512
652488aab1723b7df24f4f26e9278df8f081438ceed66fb292a0fd4324ee36dca189862ff17a7b3ffefe4f91dccf86680bcf01f01bc29946f2aa832fcf40c168

Download Submit
memory/2684-9-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-10-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-8-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-7-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-6-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-11-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-12-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-2-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x0000028B12E80000-0x0000028B12E81000-memory.dmp

Filesize
4KB

Download