874d3f892c299a623746d6b0669298375af4bd0ea02f52ac424c579e57ab48fd

General

Target

Document.doc.scr
Size

194KB
MD5

407ea767aa26ae13f9ff20d0999c8dda
SHA1

07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512

6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP

3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

736.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 736.tmp
Deletes itself 1 IoCs

Processes:

736.tmp

pid process

4756 736.tmp
Executes dropped EXE 1 IoCs

Processes:

736.tmp

pid process

4756 736.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	736.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPx57eo4prct16fe0p521lg0ipd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPispgjills7ijtdrf0m9_s0tib.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPrnklwhne9kkrkzvlka2pir85.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr736.tmp

pid process

824 Document.doc.scr
824 Document.doc.scr
824 Document.doc.scr
824 Document.doc.scr
4756 736.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr
824	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

736.tmp

pid	process
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp
4756	736.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeDebugPrivilege	824	Document.doc.scr
Token: 36	824	Document.doc.scr
Token: SeImpersonatePrivilege	824	Document.doc.scr
Token: SeIncBasePriorityPrivilege	824	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	824	Document.doc.scr
Token: 33	824	Document.doc.scr
Token: SeManageVolumePrivilege	824	Document.doc.scr
Token: SeProfSingleProcessPrivilege	824	Document.doc.scr
Token: SeRestorePrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSystemProfilePrivilege	824	Document.doc.scr
Token: SeTakeOwnershipPrivilege	824	Document.doc.scr
Token: SeShutdownPrivilege	824	Document.doc.scr
Token: SeDebugPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeBackupPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr
Token: SeSecurityPrivilege	824	Document.doc.scr

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ONENOTE.EXE

pid process

4108 ONENOTE.EXE
4108 ONENOTE.EXE

pid	process
4108	ONENOTE.EXE
4108	ONENOTE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe

description	pid	process	target process
PID 824 wrote to memory of 1500	824	Document.doc.scr	splwow64.exe
PID 824 wrote to memory of 1500	824	Document.doc.scr	splwow64.exe
PID 1780 wrote to memory of 4108	1780	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1780 wrote to memory of 4108	1780	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 824 wrote to memory of 4756	824	Document.doc.scr	736.tmp
PID 824 wrote to memory of 4756	824	Document.doc.scr	736.tmp
PID 824 wrote to memory of 4756	824	Document.doc.scr	736.tmp
PID 824 wrote to memory of 4756	824	Document.doc.scr	736.tmp

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:1500

C:\ProgramData\736.tmp
"C:\ProgramData\736.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1992

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CB1007EF-5743-44BD-895F-7F503A6692A8}.xps" 133585895845350000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\AAAAAAAAAAA

Filesize
129B

MD5
fa1cfbf9521253022a979a7fd4de403e

SHA1
3db20dfaf1d5346bc6843b718cc0c5a849d6cfb3

SHA256
501cd8ff28c947d8fc726d09ce589181579946a0e6f88013ffe13d9219d90310

SHA512
b81bb6b358f3ee0bb883a4d006ca3075a7571da80ab5ccfe7703707cb39f6d6731b7283925fbaee6370fb4979af333dae20ce3ac207b2efd6ab09db15aa15d14

Download Submit
C:\ProgramData\736.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD

Filesize
194KB

MD5
dfedc14c3ef4739eb21d1c2d1f089dde

SHA1
a375cde3dd98bc527d5300b6d6cd9302aef1de13

SHA256
dfe585d22c1a4ce0b1fd7ffd094a75634bbb0a7cdfd7e76bdebb92f7e7bbda02

SHA512
7daf70f72003e9032b9f59708571bb7a3881a41f7ef96a28a5d694c155a6d75c747068e392139c829fbfab5eb59d9b62271e4c61009c003fbeee7303fa9390ad

Download Submit
C:\jC7CNxlVt.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

Filesize
129B

MD5
d1e1bcfbb10178ef36774d91a9dfbc20

SHA1
1efcf056a44c5e9f930051232377476feb5e649c

SHA256
4380da31fec2360f52c680da2e8a2f8e23b2117b6257681125f45b4c913a87f5

SHA512
8b11c3cb02caca693965d00250142f61c3c5223ff5f635fc3defa3f3012dbb1a6fd6ab32cb12f4e7ac1ab7cc6cb1326782551b80b6deb2649378623a6ec3e770

Download Submit
memory/824-2-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/824-1-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/824-0-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/824-1258-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/824-1257-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/824-1256-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/4108-2823-0x00007FFE8D4D0000-0x00007FFE8D6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-2818-0x00007FFE4D550000-0x00007FFE4D560000-memory.dmp

Filesize
64KB

Download
memory/4108-2822-0x00007FFE4D550000-0x00007FFE4D560000-memory.dmp

Filesize
64KB

Download
memory/4108-2821-0x00007FFE8D4D0000-0x00007FFE8D6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-2824-0x00007FFE4D550000-0x00007FFE4D560000-memory.dmp

Filesize
64KB

Download
memory/4108-2825-0x00007FFE8D4D0000-0x00007FFE8D6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-2834-0x00007FFE8D4D0000-0x00007FFE8D6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-2819-0x00007FFE4D550000-0x00007FFE4D560000-memory.dmp

Filesize
64KB

Download
memory/4108-2882-0x00007FFE8D4D0000-0x00007FFE8D6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-2875-0x00007FFE4ACF0000-0x00007FFE4AD00000-memory.dmp

Filesize
64KB

Download
memory/4108-2874-0x00007FFE4ACF0000-0x00007FFE4AD00000-memory.dmp

Filesize
64KB

Download
memory/4108-2820-0x00007FFE4D550000-0x00007FFE4D560000-memory.dmp

Filesize
64KB

Download
memory/4756-2839-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/4756-2841-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/4756-2872-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/4756-2873-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/4756-2842-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/4756-2843-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/4756-2840-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads