f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4

General

Target

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Size

194KB
MD5

407ea767aa26ae13f9ff20d0999c8dda
SHA1

07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512

6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP

3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (627) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

A489.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation A489.tmp
Deletes itself 1 IoCs

Processes:

A489.tmp

pid process

4504 A489.tmp
Executes dropped EXE 1 IoCs

Processes:

A489.tmp

pid process

4504 A489.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	A489.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPceyyimvjmxsz2tx04hutf657d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPmv1wenr3nf1dqtndybi1n9x2d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPll0wddbu4egqbwaawyvt3rm6.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exeA489.tmp

pid	process
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
4504	A489.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Modifies registry class 5 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt"	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

pid	process
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

A489.tmp

pid	process
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp
4504	A489.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeDebugPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: 36	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeImpersonatePrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeIncBasePriorityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeIncreaseQuotaPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: 33	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeManageVolumePrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeProfSingleProcessPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeRestorePrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSystemProfilePrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeTakeOwnershipPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeShutdownPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeDebugPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeBackupPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
Token: SeSecurityPrivilege	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE
1332	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exeprintfilterpipelinesvc.exeA489.tmp

description	pid	process	target process
PID 3508 wrote to memory of 2008	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	splwow64.exe
PID 3508 wrote to memory of 2008	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	splwow64.exe
PID 3956 wrote to memory of 1332	3956	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3956 wrote to memory of 1332	3956	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3508 wrote to memory of 4504	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	A489.tmp
PID 3508 wrote to memory of 4504	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	A489.tmp
PID 3508 wrote to memory of 4504	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	A489.tmp
PID 3508 wrote to memory of 4504	3508	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe	A489.tmp
PID 4504 wrote to memory of 1600	4504	A489.tmp	cmd.exe
PID 4504 wrote to memory of 1600	4504	A489.tmp	cmd.exe
PID 4504 wrote to memory of 1600	4504	A489.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
"C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:2008

C:\ProgramData\A489.tmp
"C:\ProgramData\A489.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A489.tmp >> NUL
3⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4392

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{20E73C22-723D-4E31-AAE5-8986845C736C}.xps" 133586557274550000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
Filesize
129B

MD5
5ec7f24fd73f2879f2a667f160479885

SHA1
116b18f77870ed110589b15f5ce6f9c11c2f2afe

SHA256
0e031c18a0f53a3459699522e78d377b9f640b1a491ebcb4c4f3efed726c40d2

SHA512
6a3b13dc29307db1fe204f32f3b55ae2f4ff39d141130963fd6b24445c3198861cb3531dd837daadf888d87e89dcbc6f8a9ed4fd11bbc4b8be11226fc8e0eb58

Download Submit
C:\ProgramData\A489.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
194KB

MD5
49859ed90c22a06d1c7cf5516537012b

SHA1
a09ab802c03b31fbbd6e0fb7fd1ddda33bd2cfb6

SHA256
792b588f6e11259dc265560c6848e3854e32f960b41b6742a2fc5071f791ccd7

SHA512
61edcfadddc6110976335d919dbbebc8394395088b5d2b67c4aa05a23fc63687157fba93e0c442c7ae00649c62b7eb68a2ea9a81245df84bbe0373805eb2a5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EEBF1568-53F4-487C-B8EA-05D96EA2DBFA}
Filesize
4KB

MD5
3423d91ede142ecebcec2be60704a335

SHA1
ad952895bd7495cbfbe571e8eaf76a5cdb1be4f8

SHA256
6632ab7736c27c885889474f11de2abc391d375634d7daa58b67c5c625894e7c

SHA512
cef0aa62be64f6b2685bc512bb7de359e7eed2129e12708868ff0de8d88784656e9b695925009e802ac54f2f059302359acd2eb7b5fb54962c7e23f417d3be2f

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
eeb0d7dd0b9add0e0d312b75c1db9154

SHA1
71a376a0ddab278a32145228ede985de74a5250f

SHA256
97d7a4d617027ba626e750dfbf18adb2a134c0be71ee9fcec20c4200d2eb19e4

SHA512
eceb778ec330f51d6299425d39dc5e9e4f122dcd6b9606308c68f807244483bd37ed72a51128c6758fbd90420ec6359b888af3048deca208533b4f8f4a0963e8

Download Submit
C:\Users\Admin\jC7CNxlVt.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\CCCCCCCCCCC
Filesize
129B

MD5
8f6285c40a546f51ae86793618b0f007

SHA1
56d57dd6bf2a33e883739caea4f22daed60911bd

SHA256
05a46cb474afb4dfe529124a24b0c74a4e1662dafff7a104b37b9ea5ebcb19bf

SHA512
0a74c11c42bd57e9c1561dce57060fbc8ae1613e7e6df078cb27cfebb1009b36ab867fd04e43521b72f84253454dfe3d58ee835f0138eb2b25937673301ad80f

Download Submit
memory/1332-2816-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1332-2818-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1332-2817-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1332-2819-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1332-2820-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1332-2853-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

Filesize
64KB

Download
memory/1332-2854-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

Filesize
64KB

Download
memory/3508-2803-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3508-2804-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3508-0-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3508-1-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads