062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1

General

Target

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Size

194KB
MD5

50e5dec57451005668704281688ca55d
SHA1

67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
SHA512

29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
SSDEEP

3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (614) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

E8D5.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation E8D5.tmp
Deletes itself 1 IoCs

Processes:

E8D5.tmp

pid process

4568 E8D5.tmp
Executes dropped EXE 1 IoCs

Processes:

E8D5.tmp

pid process

4568 E8D5.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	E8D5.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPkibkt4dh0v2v4byx3q_sm7rwb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPzma24ppsd9oyw6uuf45b94g5c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPtbcy5fqp37ejlfnwdob4cy8eb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exeE8D5.tmp

pid	process
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
4568	E8D5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Modifies registry class 5 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

pid	process
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

E8D5.tmp

pid	process
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp
4568	E8D5.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeDebugPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: 36	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeImpersonatePrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeIncBasePriorityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeIncreaseQuotaPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: 33	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeManageVolumePrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeProfSingleProcessPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeRestorePrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSystemProfilePrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeTakeOwnershipPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeShutdownPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeDebugPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeBackupPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
Token: SeSecurityPrivilege	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE
2912	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exeprintfilterpipelinesvc.exeE8D5.tmp

description	pid	process	target process
PID 3304 wrote to memory of 2668	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	splwow64.exe
PID 3304 wrote to memory of 2668	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	splwow64.exe
PID 2436 wrote to memory of 2912	2436	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 2436 wrote to memory of 2912	2436	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3304 wrote to memory of 4568	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	E8D5.tmp
PID 3304 wrote to memory of 4568	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	E8D5.tmp
PID 3304 wrote to memory of 4568	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	E8D5.tmp
PID 3304 wrote to memory of 4568	3304	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe	E8D5.tmp
PID 4568 wrote to memory of 3476	4568	E8D5.tmp	cmd.exe
PID 4568 wrote to memory of 3476	4568	E8D5.tmp	cmd.exe
PID 4568 wrote to memory of 3476	4568	E8D5.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe
"C:\Users\Admin\AppData\Local\Temp\062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:2668

C:\ProgramData\E8D5.tmp
"C:\ProgramData\E8D5.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E8D5.tmp >> NUL
3⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3948

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{592085E5-14D3-426F-B70C-8D96F71FF6B9}.xps" 133585669017550000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\CCCCCCCCCCC
Filesize
129B

MD5
1a14375015c76b576240c45caa0e26bf

SHA1
0bdb59257096d29aa7abd4abd9d9854238eb6d21

SHA256
fcc9faab55d5cf43fadc3c133a8a2aff6f0583c4fb3b22f1424dec0e6797cfae

SHA512
cf7877637d8567925242c94dc34af0405f69f979ac8191302a49d7d9fce726974379ada4079ba87c77ce46e484d1212cc40b650c8fa884ee23eac1a2747aa8a9

Download Submit
C:\ProgramData\E8D5.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Qs2QSInbk.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
194KB

MD5
884795d821773d160b949d0c79ba4893

SHA1
6d677f317413c0c9d1020e9dcd16e98080d435bb

SHA256
340014bcd7a1b2028c5887547f3c94286e8da7876108831422a3be166fec2ba4

SHA512
a97b9f0d6ab8809fff8ea585c4440baa3767699d3cc44b3382e75c4ab367d7b018a1145f3b1ed4e174b0e3c89ad0c3eec8697699a71b951fabf176d3a4cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7244CEAA-8FC6-4E2B-B0A6-03C65BDF0253}
Filesize
4KB

MD5
a4f205b4324b0231e92a1fecfdb416b0

SHA1
bdda7ace045cc78ce1bf30a1f4609608ff8d1777

SHA256
0664c1e70df5698448023029e5328914a9cce51e4fc9df64bdbce0e99e2adeb7

SHA512
0661474a0aaffb0bbc0a31ad7b7611e252073c756755deeb8a3bf68c9aef26cfb6efd96df4c8b537d2b6196a76a6ca482eed41183afd25b4ab37effaca0773d0

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
9528aa1485c57a403bc104d4617c48e4

SHA1
297a74001b37b35cc1fbc9f3614a5d96dca5d796

SHA256
ca15eedf76a1cf7e2e5616564469a320d08336dbb2d5c8eaa7d40831b0a7fc79

SHA512
136a854af14a8cfb6568a198194b9465942380c42d5f621eeb38977d016ee2369819f53cabd840b4c89ccdcd37b70683799f5e7d351459657a08cd5d8315bb86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
Filesize
129B

MD5
d7bad473fb4e4e332fd8cbad264dd975

SHA1
4bdcb48e4036f16f1516a6a183751ec062f0cb1c

SHA256
e41dd06f7429bc3c4601f47291d327ac40230cb6ea3a6a29e9524e7b55ea9c58

SHA512
826d72b97e8b533b6b21ff55fc828e17dfa71522c4c65f9a124c75d667cd9a950475275d608d6e3c77408b39f2e527dad72d6a31fec327944881d99e532b7050

Download Submit
memory/2912-2816-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2883-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2806-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/2912-2807-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/2912-2809-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/2912-2808-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2810-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/2912-2812-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2814-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2815-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2813-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/2912-2859-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/2912-2817-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2818-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2881-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2882-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2912-2858-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/3304-2793-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3304-2795-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3304-2794-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3304-1-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3304-2-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/3304-0-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/4568-2826-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/4568-2823-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/4568-2824-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/4568-2856-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/4568-2857-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/4568-2825-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/4568-2827-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads