Analysis
-
max time kernel
34s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2025, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
000IDMFLAXS7KD29-C324-F4.jpg
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
000IDMFLAXS7KD29-C324-F4.jpg
Resource
win10v2004-20250211-en
General
-
Target
000IDMFLAXS7KD29-C324-F4.jpg
-
Size
251KB
-
MD5
c59a4f4ce4d02a9468e6372bb51ac996
-
SHA1
48a77f68818b52753a98b588576b83f3ffc03335
-
SHA256
3f3aa60c75f596017405c60649f8c05a0fc6490110b655b2cb8a75d5c0b47d87
-
SHA512
2b17a47b98afc1a8a402969a6dcc9b917c8b7c1f88a4c112e5f9d10d1ee8bc447eca91d17d126d941eb3ed9d7b0dd77f87e7f9459c7bde6c609be6c15ceaa41b
-
SSDEEP
6144:wfFJWoNXVtE7IIF7dX9ftFr8sJDWn1EfDyYZ7H3Yj/9ML:gJWo1E7hc2uYdYj9ML
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4088 mspaint.exe 4088 mspaint.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 1504 mspaint.exe 1504 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 MicrosoftEdgeUpdate.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4088 mspaint.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4088 mspaint.exe 4088 mspaint.exe 4088 mspaint.exe 4088 mspaint.exe 1504 mspaint.exe 4704 OpenWith.exe
Processes
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\000IDMFLAXS7KD29-C324-F4.jpg"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3716
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:324
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\000IDMFLAXS7KD29-C324-F4.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3628
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4704