062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1

General

Target

Document.doc.scr.exe
Size

194KB
MD5

50e5dec57451005668704281688ca55d
SHA1

67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
SHA512

29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
SSDEEP

3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (287) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

9B84.tmp

pid process

924 9B84.tmp
Executes dropped EXE 1 IoCs

Processes:

9B84.tmp

pid process

924 9B84.tmp
Loads dropped DLL 1 IoCs

Processes:

Document.doc.scr.exe

pid process

2032 Document.doc.scr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	Document.doc.scr.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	Document.doc.scr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr.exe9B84.tmp

pid process

2032 Document.doc.scr.exe
2032 Document.doc.scr.exe
2032 Document.doc.scr.exe
2032 Document.doc.scr.exe
924 9B84.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	Document.doc.scr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr.exe

Modifies registry class 5 IoCs

Processes:

Document.doc.scr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	Document.doc.scr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	Document.doc.scr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	Document.doc.scr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	Document.doc.scr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	Document.doc.scr.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Document.doc.scr.exe

pid	process
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe
2032	Document.doc.scr.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

9B84.tmp

pid	process
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp
924	9B84.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeDebugPrivilege	2032	Document.doc.scr.exe
Token: 36	2032	Document.doc.scr.exe
Token: SeImpersonatePrivilege	2032	Document.doc.scr.exe
Token: SeIncBasePriorityPrivilege	2032	Document.doc.scr.exe
Token: SeIncreaseQuotaPrivilege	2032	Document.doc.scr.exe
Token: 33	2032	Document.doc.scr.exe
Token: SeManageVolumePrivilege	2032	Document.doc.scr.exe
Token: SeProfSingleProcessPrivilege	2032	Document.doc.scr.exe
Token: SeRestorePrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSystemProfilePrivilege	2032	Document.doc.scr.exe
Token: SeTakeOwnershipPrivilege	2032	Document.doc.scr.exe
Token: SeShutdownPrivilege	2032	Document.doc.scr.exe
Token: SeDebugPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeBackupPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe
Token: SeSecurityPrivilege	2032	Document.doc.scr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Document.doc.scr.exe9B84.tmp

description	pid	process	target process
PID 2032 wrote to memory of 924	2032	Document.doc.scr.exe	9B84.tmp
PID 2032 wrote to memory of 924	2032	Document.doc.scr.exe	9B84.tmp
PID 2032 wrote to memory of 924	2032	Document.doc.scr.exe	9B84.tmp
PID 2032 wrote to memory of 924	2032	Document.doc.scr.exe	9B84.tmp
PID 2032 wrote to memory of 924	2032	Document.doc.scr.exe	9B84.tmp
PID 924 wrote to memory of 744	924	9B84.tmp	cmd.exe
PID 924 wrote to memory of 744	924	9B84.tmp	cmd.exe
PID 924 wrote to memory of 744	924	9B84.tmp	cmd.exe
PID 924 wrote to memory of 744	924	9B84.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\ProgramData\9B84.tmp
  "C:\ProgramData\9B84.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9B84.tmp >> NUL
    3⤵
    PID:744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\JJJJJJJJJJJ

Filesize
129B

MD5
c554781ca8ad34b9a215872e8d2e7b2b

SHA1
9f8a85b93db7f37352a2c0b00a8db561e9fcf4ea

SHA256
27714734fb4999086c40a7284e48ff4c498ad03c2d00622500b519548be50dfb

SHA512
e13b38c3490242a83a6b7dc6330032b17cc75258a09777843549211731da5180b5e6756a9e04814d0b62bd275cd18e1ba78c6c3855e66b22242d9243c3114a33

Download Submit
C:\Qs2QSInbk.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFFFFFFFFFFFFFFFFFFF

Filesize
194KB

MD5
4952591960de6aca594760fc9b4bcb14

SHA1
f1f1ad5a317e62f0db9bf92df59f9ec728dbe29d

SHA256
994c069ee2512420bd7c99130917fad95e849e94a6cbcb73bb118a7993de8e35

SHA512
fd41371386f12dd1ea0ff3c27955b68387abcffd970c3141be8e2f3a398ca8720f65cfb0ed23c6c99169a53c65a1aa14858d3c0b5b511c329e18bdc6fbdaebc7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

Filesize
129B

MD5
03faeb00a3a9ff1b3e3bf7a1d530765f

SHA1
68a85be926b7da0969ac679000ff86cb8f622128

SHA256
e41a8015250c9868b5e56da83b5ff04d60a12cdfd9beb2bc2b47e2a1b35c127f

SHA512
ccbefadae57594c54e2c46f00a3266f5465d2066dbe8cd30d28cb82dbe18634810ae82a0f4582e001432ba8e5d681314c1d542be3ea4aab6196ab11baae27863

Download Submit
\ProgramData\9B84.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/924-812-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/924-805-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/924-818-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/924-820-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/924-819-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/924-838-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/924-839-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2032-0-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads