54a619ecb85a5b5dc379a3a59058fcbddbe5870cae22297746b91d879ec332d9

General

Target

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Size

194KB
MD5

407ea767aa26ae13f9ff20d0999c8dda
SHA1

07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512

6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP

3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (594) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

61E7.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 61E7.tmp
Deletes itself 1 IoCs

Processes:

61E7.tmp

pid process

4932 61E7.tmp
Executes dropped EXE 1 IoCs

Processes:

61E7.tmp

pid process

4932 61E7.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	61E7.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-355664440-2199602304-1223909400-1000\desktop.ini	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\desktop.ini	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPcxhjdwzu5cyxl16c02do8zwub.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjuo40od0ooobf0sm2eh547zqd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPhnho79rucaxusk1y032j3q01c.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe61E7.tmp

pid	process
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4932	61E7.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\Desktop	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\Desktop\WallpaperStyle = "10"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Modifies registry class 5 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

pid	process
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

61E7.tmp

pid	process
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp
4932	61E7.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeDebugPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: 36	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeImpersonatePrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeIncBasePriorityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeIncreaseQuotaPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: 33	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeManageVolumePrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeProfSingleProcessPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeRestorePrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSystemProfilePrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeTakeOwnershipPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeShutdownPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeDebugPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE
3968	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exeprintfilterpipelinesvc.exe61E7.tmp

description	pid	process	target process
PID 4768 wrote to memory of 4508	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	splwow64.exe
PID 4768 wrote to memory of 4508	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	splwow64.exe
PID 3624 wrote to memory of 3968	3624	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3624 wrote to memory of 3968	3624	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4768 wrote to memory of 4932	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	61E7.tmp
PID 4768 wrote to memory of 4932	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	61E7.tmp
PID 4768 wrote to memory of 4932	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	61E7.tmp
PID 4768 wrote to memory of 4932	4768	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	61E7.tmp
PID 4932 wrote to memory of 3764	4932	61E7.tmp	cmd.exe
PID 4932 wrote to memory of 3764	4932	61E7.tmp	cmd.exe
PID 4932 wrote to memory of 3764	4932	61E7.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
"C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:4508

C:\ProgramData\61E7.tmp
"C:\ProgramData\61E7.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61E7.tmp >> NUL
3⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3292

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3624

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E043902B-4EF6-4BF9-B265-6E6AAED2F78B}.xps" 133585179193290000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355664440-2199602304-1223909400-1000\NNNNNNNNNNN
Filesize
129B

MD5
045b2f396e080047d496d44c06f47c04

SHA1
3227c28a7d746b72c68134df1eb5e2a35723278f

SHA256
aeeac60d031577a62c39afa1fa66a0a1bec11eadf27e656b9f257afd0f05d8c6

SHA512
5ee9f769133077c8ae30ac1f9b96cff4899b28f313f154c3400ee13ed6fc36ae1ba3d9f2eee99e6f63c2ac5dcd45b82900ee564d5dca5c86f706900ec8952c4d

Download Submit
C:\ProgramData\61E7.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
194KB

MD5
f4f8f67082a1da1944ccb8848a9b3464

SHA1
52db481202c8d6bd4f177d48f93b195d55362fa0

SHA256
ea25e396f58b2ec3ed0a0b46e0bc1ed0a6fcfe3af5ed10c6de530168571d40f9

SHA512
ca7d5fc40678c89883c8c0ea2ac9d428e8195204c84d0befd4d9fb31ca1c3b0cea7dd245bb263c70327af34e583876182aae067fa2cc5db1fd6189586b875642

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5113582-B544-4E59-9A7A-413B6215FFB4}
Filesize
4KB

MD5
c3004bdca85228cf94ca64820702c024

SHA1
91167f06712dfb0da53b4eda215def2006cec93a

SHA256
33467b89ad6f99eb6aa3bac4e855725a6f50298ff6b5689cc596b8ac08c646e9

SHA512
ca92854dffc6b9eab8a53903e8f41b6be8d928a77983ce2072f50099b26dc4681f1a7aaf3edd4c483c778ebd25c8f510484684af7de455d1a1a1d2fdd2b195eb

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
773d5a5cf6c62a22cc7d0d0c0521671c

SHA1
8b972f0c1c13799fd3e950572c38fc8ff9d0bddb

SHA256
93779d1c955f3f795074a934140920bf7e6f6e90447884f81bcc0ccbb3007f91

SHA512
8e34b623c8a6f92da7825a8948ec99baacfe4a5c4abc03b1f6d0de7f4ee8a3a8525db00ea75281f251cde4617dd94089bb8a8a6b25485bdda370375e8f27cc52

Download Submit
C:\jC7CNxlVt.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\EEEEEEEEEEE
Filesize
129B

MD5
79fed1247a3525ba87e88516ce5ee12f

SHA1
633edaf421de307b37082017ac59df758c115a33

SHA256
a80ad1b622e58ec0e2f0b77a93e931a3c8a0590d3f681eb9946518c40bf44f76

SHA512
cd7b40f7340719fbcbde52599a964d5ff2085cac0114146ba152c1e8e373c2bc564f8a3f539631cecdcfee6e36e3824909a90377912929b493f87ab6bf3ce3c0

Download Submit
memory/3968-2803-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2808-0x00007FFCD5450000-0x00007FFCD5460000-memory.dmp

Filesize
64KB

Download
memory/3968-2765-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2800-0x00007FFCD7DB0000-0x00007FFCD7DC0000-memory.dmp

Filesize
64KB

Download
memory/3968-2801-0x00007FFCD7DB0000-0x00007FFCD7DC0000-memory.dmp

Filesize
64KB

Download
memory/3968-2771-0x00007FFCD7DB0000-0x00007FFCD7DC0000-memory.dmp

Filesize
64KB

Download
memory/3968-2767-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2766-0x00007FFCD7DB0000-0x00007FFCD7DC0000-memory.dmp

Filesize
64KB

Download
memory/3968-2802-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2843-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2805-0x00007FFCD5450000-0x00007FFCD5460000-memory.dmp

Filesize
64KB

Download
memory/3968-2804-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2806-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2770-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2807-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2809-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2810-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2811-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2812-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2813-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2814-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2815-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2816-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2817-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2762-0x00007FFCD7DB0000-0x00007FFCD7DC0000-memory.dmp

Filesize
64KB

Download
memory/3968-2842-0x00007FFD17D30000-0x00007FFD17F25000-memory.dmp

Filesize
2.0MB

Download
memory/4768-0-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/4768-1-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads