3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623

Resubmissions

23/02/2024, 23:29

240223-3gn18scd5w 9

23/02/2024, 22:31

240223-2fh8xsae24 9

22/02/2024, 14:24

240222-rqwlwsbd65 9

Analysis

max time kernel
147s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Size

4.5MB
MD5

fe025d0f649ab10b399efd628fa8df3e
SHA1

30a824aa97b286e0088b9191ce47e547c1120921
SHA256

3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623
SHA512

47cdd4e41bbf00366347dcfb01e4693a21514a0be0b96a782eddca175b8f2a9d77bf2461929a4620677e59c729bbe20668cf1ea5a4df0b20b7a5acc5540e25ba
SSDEEP

98304:Ov2Ppnz/doAD1FWM9MSq7QPYR/LeouroTfzYSzcNXH33pQBswnmB:pRnjdoATaSqkPsyvroTfzYmcNH3pIU

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (580) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	59A.tmp

Deletes itself 1 IoCs

pid	Process
228	59A.tmp

Executes dropped EXE 1 IoCs

pid	Process
228	59A.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPzmwtz7_ss_moakgo2rzh_x_rb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP6l86jex_0wh9ttmjundymbqyc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPw8f2fpm3rjftnebnqoks_wmoc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\JBw1fC8JE.bmp"	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\JBw1fC8JE.bmp"	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
228	59A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\WallpaperStyle = "10"	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.JBw1fC8JE	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JBw1fC8JE\ = "JBw1fC8JE"	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JBw1fC8JE\DefaultIcon	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JBw1fC8JE	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JBw1fC8JE\DefaultIcon\ = "C:\\ProgramData\\JBw1fC8JE.ico"	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4264	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1660	ONENOTE.EXE
1660	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp
228	59A.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeDebugPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: 36	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeImpersonatePrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeIncBasePriorityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeIncreaseQuotaPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: 33	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeManageVolumePrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeProfSingleProcessPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeRestorePrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSystemProfilePrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeTakeOwnershipPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeShutdownPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeDebugPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeBackupPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
Token: SeSecurityPrivilege	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE
1660	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 784	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	93
PID 4940 wrote to memory of 784	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	93
PID 1912 wrote to memory of 1660	1912	printfilterpipelinesvc.exe	98
PID 1912 wrote to memory of 1660	1912	printfilterpipelinesvc.exe	98
PID 4940 wrote to memory of 228	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	99
PID 4940 wrote to memory of 228	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	99
PID 4940 wrote to memory of 228	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	99
PID 4940 wrote to memory of 228	4940	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe	99
PID 228 wrote to memory of 4600	228	59A.tmp	101
PID 228 wrote to memory of 4600	228	59A.tmp	101
PID 228 wrote to memory of 4600	228	59A.tmp	101

C:\Users\Admin\AppData\Local\Temp\3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe
"C:\Users\Admin\AppData\Local\Temp\3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:784
- C:\ProgramData\59A.tmp
  "C:\ProgramData\59A.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\59A.tmp >> NUL
    3⤵
    PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4948

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D4A4915E-6706-4ADC-A683-3555A093F6EE}.xps" 133530855041350000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\JBw1fC8JE.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2200714112-3788720386-2559682836-1000\JJJJJJJJJJJ

Filesize
129B

MD5
4fd1575d85c05cba044e5646c8155d0f

SHA1
dd113772ef1c0445cae4a4ee4ad80f7ec10ad3a3

SHA256
e6baa8a42833de451e053b422555e2fee999182c84e79acfdbd091723774ed1e

SHA512
824c457fc3c1b282fbe78866eb8233275a499821cb42c291d3130f7ef70bb5624e5e7d76ed93a305de804cbaadb9f81d21351a00dc768c9bc757839dd366dd85

Download Submit
C:\JBw1fC8JE.README.txt

Filesize
1KB

MD5
9d7e4865c0dd17f1e97df83c2bffd548

SHA1
c2aa122d4e3b829e415f61450e3f9ed9eea4c818

SHA256
5e30c21218619d5d832f90bbc008c09df8bb232304e8a8bfc223e4ae9e501e1f

SHA512
85d789a34732495738ca4ab7a91939c5d2d3416bbfdb258fc70035826306235fd21b7196d0f7a6b693ad9f4bc7ecc72cd45e02734bf02e8e5583baee5660de95

Download Submit
C:\ProgramData\59A.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

Filesize
1.8MB

MD5
bca64cab9050708e527716025f2b26bf

SHA1
0fc84d926370267bed46fa49af2b421c361ceb4e

SHA256
6476716e90ca53fc7925453043be63fde74737c470d36ff34996a4af10984c0b

SHA512
067121deced8caabb49336d6afd80ef512b9696daab3c45c3b0aa809fac822694390dd1f68c62ef5ec67e76ce2a3890cc700919b10856ffd0ce124645642385e

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
d6215ebed3202151c39d254b61689380

SHA1
e9895211c352e7da3b0e2a82b4688636473fcf13

SHA256
eb5c5d3218c3e94823ca7af4d328d75685dfa81004c1c1df335b7cd32710cfae

SHA512
0b5de03c58fc561fd53bd51059cfad33a1b9b78c508c79f8953b175b5b6a8bb5f2a26843c11f2b786f505485adf389ef606c63db4267ee581d7bbc509b1cce49

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2200714112-3788720386-2559682836-1000\DDDDDDDDDDD

Filesize
129B

MD5
b146effd44415e990811086ef78b3935

SHA1
26fc2e67c5b7753c5a0cae153dbaa3ddef215853

SHA256
5e019bf52892a27fbe63807e12fcdcffcfcca7cb833ff1d6d22ddcb55df8bd5f

SHA512
3543c821c2e399c4ab5dbc6422f5119472b7985b423774c1534e02c39256a1e1e8593a97602af3902f9694496bde4898776cc2f243642ff4ecc5bb442e45407d

Download Submit
memory/228-2789-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/228-2788-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/228-2787-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/228-2786-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/228-2784-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/228-2783-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1660-2790-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2785-0x00007FFB030C0000-0x00007FFB030D0000-memory.dmp

Filesize
64KB

Download
memory/1660-2830-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2742-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2744-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2743-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2739-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2745-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2746-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2749-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2747-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2829-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2750-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2751-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2828-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2782-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2781-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2780-0x00007FFB030C0000-0x00007FFB030D0000-memory.dmp

Filesize
64KB

Download
memory/1660-2826-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2736-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2827-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2825-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2824-0x00007FFB054B0000-0x00007FFB054C0000-memory.dmp

Filesize
64KB

Download
memory/1660-2810-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2809-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/1660-2808-0x00007FFB45430000-0x00007FFB45625000-memory.dmp

Filesize
2.0MB

Download
memory/4940-1-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4940-2-0x0000000000F70000-0x000000000167B000-memory.dmp

Filesize
7.0MB

Download
memory/4940-0-0x0000000000F70000-0x000000000167B000-memory.dmp

Filesize
7.0MB

Download
memory/4940-4-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4940-5-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4940-6-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4940-2721-0x0000000000F70000-0x000000000167B000-memory.dmp

Filesize
7.0MB

Download
memory/4940-2722-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4940-2723-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/4940-2748-0x0000000000F70000-0x000000000167B000-memory.dmp

Filesize
7.0MB

Download
memory/4940-2724-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download