Overview

overview

9

Static

static

3

3372c1edab...70.exe

windows10-2004-x64

9

51B4EF5DC9...67.exe

windows10-2004-x64

5

E906FA3D51...56.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    108s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

  • Size

    257KB

  • MD5

    6e080aa085293bb9fbdcc9015337d309

  • SHA1

    51b4ef5dc9d26b7a26e214cee90598631e2eaa67

  • SHA256

    9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

  • SHA512

    4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

  • SSDEEP

    6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd

Score
5/10
discovery

Malware Config

Signatures

  • Drops file in System32 directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
    "C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
      C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
      2⤵
        PID:3180
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\AssertTest.jpe" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:3896
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      238B

      MD5

      ca799d118b8ce3b0aaca304158bcb31d

      SHA1

      be60fc9873dcccf10a798b01139efc214a604442

      SHA256

      02de55d2df018cdcb694c9f5121c18c96ac16f74c720ed83781a6c747c1060e4

      SHA512

      18e6cd3368aebd05859508cc904848eca31c0f973c11ff607f13f6a3f706b16f68659e969f641ee46843cf90b6526445e9b2e6e64c8a7d01c7b76ec59bb7cb8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      238B

      MD5

      772a8a7b53f88ddccca7d63ec72ffff4

      SHA1

      724b7f2eb80c0883dcc16608ec4ebfd5ce38d20b

      SHA256

      03c679af699c6a16601751a39238150698430e9153462d21f4a5fe1ad87aa05b

      SHA512

      0493e04fa0363b659f0f61b92a6b3fdc37db3863feced4e071b6e8d14ff69a1a3d919c8a1bef51ff634e93e4dc87d4f8924c88748e7976b49b799802c6bd800e

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
      Filesize

      2KB

      MD5

      f4e4a03ebd0ab3a953c56a300d61d223

      SHA1

      97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

      SHA256

      52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

      SHA512

      12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

      Download Submit

    • memory/224-0-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/3896-12-0x00000160225A0000-0x00000160225A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-14-0x0000016022620000-0x0000016022621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-20-0x00000160226C0000-0x00000160226C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-19-0x00000160226C0000-0x00000160226C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-1-0x0000016011930000-0x0000016011940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3896-17-0x00000160226B0000-0x00000160226B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-18-0x00000160226B0000-0x00000160226B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-16-0x0000016022620000-0x0000016022621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3896-5-0x0000016011970000-0x0000016011980000-memory.dmp

      Filesize

      64KB

      Download