d212718eb644c7803f73dc13b55536e84263a3f959219bd067dc4092a2095b15

General

Target

Document.doc.scr
Size

194KB
MD5

6fd558cf3add096970e15d1e62ca1957
SHA1

78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23
SHA256

41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898
SHA512

fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc
SSDEEP

3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (629) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6B3E.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 6B3E.tmp
Deletes itself 1 IoCs

Processes:

6B3E.tmp

pid process

4356 6B3E.tmp
Executes dropped EXE 1 IoCs

Processes:

6B3E.tmp

pid process

4356 6B3E.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	6B3E.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPrl2z2gvov1zuhksc06jktgplc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPxds89oo3tkiljpkl0p1knwded.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP2cxf8yf164farl939ayj0m9od.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr6B3E.tmp

pid process

8 Document.doc.scr
8 Document.doc.scr
8 Document.doc.scr
8 Document.doc.scr
4356 6B3E.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon\ = "C:\\ProgramData\\AAtvmKv4L.ico"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L\ = "AAtvmKv4L"	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr
8	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

6B3E.tmp

pid	process
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp
4356	6B3E.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeDebugPrivilege	8	Document.doc.scr
Token: 36	8	Document.doc.scr
Token: SeImpersonatePrivilege	8	Document.doc.scr
Token: SeIncBasePriorityPrivilege	8	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	8	Document.doc.scr
Token: 33	8	Document.doc.scr
Token: SeManageVolumePrivilege	8	Document.doc.scr
Token: SeProfSingleProcessPrivilege	8	Document.doc.scr
Token: SeRestorePrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSystemProfilePrivilege	8	Document.doc.scr
Token: SeTakeOwnershipPrivilege	8	Document.doc.scr
Token: SeShutdownPrivilege	8	Document.doc.scr
Token: SeDebugPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeBackupPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr
Token: SeSecurityPrivilege	8	Document.doc.scr

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe6B3E.tmp

description	pid	process	target process
PID 8 wrote to memory of 2360	8	Document.doc.scr	splwow64.exe
PID 8 wrote to memory of 2360	8	Document.doc.scr	splwow64.exe
PID 1912 wrote to memory of 3808	1912	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1912 wrote to memory of 3808	1912	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 8 wrote to memory of 4356	8	Document.doc.scr	6B3E.tmp
PID 8 wrote to memory of 4356	8	Document.doc.scr	6B3E.tmp
PID 8 wrote to memory of 4356	8	Document.doc.scr	6B3E.tmp
PID 8 wrote to memory of 4356	8	Document.doc.scr	6B3E.tmp
PID 4356 wrote to memory of 4568	4356	6B3E.tmp	cmd.exe
PID 4356 wrote to memory of 4568	4356	6B3E.tmp	cmd.exe
PID 4356 wrote to memory of 4568	4356	6B3E.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:2360

C:\ProgramData\6B3E.tmp
"C:\ProgramData\6B3E.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6B3E.tmp >> NUL
3⤵
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4780

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{29AB9483-7A9C-4752-A8EF-278DCFF1D6C6}.xps" 133586554795610000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini

Filesize
129B

MD5
07ee86a7090e38d0326f6d0bedee5880

SHA1
f8cc2b30e821db4c0d9967014be701ce3120b41a

SHA256
037ad44ba34330fdb56f726c029d3915dcd30ac5c17dc041c9b4f32631d33879

SHA512
511a96995cfd0c0dc00b35e86c0d280b62d81d173f0a92e733335c1d87a7b7509813752eac01b2a9805112c9eb6ba2423fa4f0c36abbd809e189391bc9f36fd1

Download Submit
C:\AAtvmKv4L.README.txt

Filesize
434B

MD5
b4709a56b9d7f431da172316cda720be

SHA1
d2132f7129a7003ec4c0392f0f08cd24ea353da6

SHA256
192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

SHA512
e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

Download Submit
C:\ProgramData\6B3E.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD

Filesize
194KB

MD5
4e0000773ba2b8c7ff2204bffcd1da0a

SHA1
2542f8c7b867fb1fc422bc1bc0ad9d357020d0eb

SHA256
d3bc801e2096010e40fa4b813876a0a7179fa1a33b612405fbd75eeb2d9ed509

SHA512
8c6e5086e1096f3c9f0b40d53f5af01018829d05371db8eb0037a05e2cdaec41a202d35e546103494fc211afa578d8211dd2fabef36db31060ed31cae4de6282

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DC5672CD-AD56-4FDA-84EE-2003E696AEEF}

Filesize
4KB

MD5
b8a35d7d39395399c15a63eb0e3387b3

SHA1
a6c70bf157110f3c613a27950732a9a51f3d7571

SHA256
cbb9fc7dce153e152f9a8e772c35e8fbaae39af6afad4cd8589bed35121fc073

SHA512
fdd14a5c209972a02a6b432a6626303bda74c7faf8793950dbe83f5320015d0eab28c6009ff936b2a4ecedb893a4b5840e01c5e5ecdeb3094823f340622c0113

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
de2ea806f30079ad7d65eb7d3889bcba

SHA1
8fc51a467a336c3d9fcfeba277397828fc9b91c4

SHA256
42a4c306fbbb60facd9735091b54ae784fc5f5449fbf134273e845c40d0f52b9

SHA512
33437941f162bf480648c3015e6f8b5f98186e868110d49df6adea28448b15ab21a8691bfbcaa8664a234daf2de3775a97518f3f6676a9199a610564c65ce5a1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-17203666-93769886-2545153620-1000\DDDDDDDDDDD

Filesize
129B

MD5
1454105de6edf1b0eadc875102f704b2

SHA1
58abaa26cf9a605b85d362ae87b902b102bddeb0

SHA256
802960b9499e1f227dd99d9ee453c20efe34cb8dd4d2837572ceb3d1060348e5

SHA512
8e6aef78ae6ce90eeb7a4ec06f9aa39156e8767e9356d6c118295b9e997ee45abd0efbd77f148810873acb756b32d7e442de4bee50bc8c8c15316203cec561c4

Download Submit
memory/8-0-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/8-2-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/8-1-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/3808-2828-0x00007FFB91470000-0x00007FFB91480000-memory.dmp

Filesize
64KB

Download
memory/3808-2829-0x00007FFB91470000-0x00007FFB91480000-memory.dmp

Filesize
64KB

Download
memory/3808-2830-0x00007FFB91470000-0x00007FFB91480000-memory.dmp

Filesize
64KB

Download
memory/3808-2827-0x00007FFB91470000-0x00007FFB91480000-memory.dmp

Filesize
64KB

Download
memory/3808-2826-0x00007FFB91470000-0x00007FFB91480000-memory.dmp

Filesize
64KB

Download
memory/3808-2859-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmp

Filesize
64KB

Download
memory/3808-2860-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads