874d3f892c299a623746d6b0669298375af4bd0ea02f52ac424c579e57ab48fd

General

Target

Document.doc.scr
Size

194KB
MD5

407ea767aa26ae13f9ff20d0999c8dda
SHA1

07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512

6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP

3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (632) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

E54B.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation E54B.tmp
Deletes itself 1 IoCs

Processes:

E54B.tmp

pid process

3852 E54B.tmp
Executes dropped EXE 1 IoCs

Processes:

E54B.tmp

pid process

3852 E54B.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	E54B.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP3f0y0k5bf0djg08yi3ov50_cc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPm6_l0xhjqy6k5nnzsw8l0y0j.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPitvmsar99oawczjv5ra2q032c.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scrE54B.tmp

pid process

3968 Document.doc.scr
3968 Document.doc.scr
3968 Document.doc.scr
3968 Document.doc.scr
3852 E54B.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr
3968	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

E54B.tmp

pid	process
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp
3852	E54B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeDebugPrivilege	3968	Document.doc.scr
Token: 36	3968	Document.doc.scr
Token: SeImpersonatePrivilege	3968	Document.doc.scr
Token: SeIncBasePriorityPrivilege	3968	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	3968	Document.doc.scr
Token: 33	3968	Document.doc.scr
Token: SeManageVolumePrivilege	3968	Document.doc.scr
Token: SeProfSingleProcessPrivilege	3968	Document.doc.scr
Token: SeRestorePrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSystemProfilePrivilege	3968	Document.doc.scr
Token: SeTakeOwnershipPrivilege	3968	Document.doc.scr
Token: SeShutdownPrivilege	3968	Document.doc.scr
Token: SeDebugPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeBackupPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr
Token: SeSecurityPrivilege	3968	Document.doc.scr

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE
4728	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exeE54B.tmp

description	pid	process	target process
PID 3968 wrote to memory of 4072	3968	Document.doc.scr	splwow64.exe
PID 3968 wrote to memory of 4072	3968	Document.doc.scr	splwow64.exe
PID 1484 wrote to memory of 4728	1484	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1484 wrote to memory of 4728	1484	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3968 wrote to memory of 3852	3968	Document.doc.scr	E54B.tmp
PID 3968 wrote to memory of 3852	3968	Document.doc.scr	E54B.tmp
PID 3968 wrote to memory of 3852	3968	Document.doc.scr	E54B.tmp
PID 3968 wrote to memory of 3852	3968	Document.doc.scr	E54B.tmp
PID 3852 wrote to memory of 3580	3852	E54B.tmp	cmd.exe
PID 3852 wrote to memory of 3580	3852	E54B.tmp	cmd.exe
PID 3852 wrote to memory of 3580	3852	E54B.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:4072

C:\ProgramData\E54B.tmp
"C:\ProgramData\E54B.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E54B.tmp >> NUL
3⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2460

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{56795851-77B9-4DCA-8558-3DA0B1FEC309}.xps" 133586550811360000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\QQQQQQQQQQQ
Filesize
129B

MD5
fc1ae6c9658a6b226f4d4ae19a913f8c

SHA1
b6c8d8bac95ad0513bf6061f6619122774016230

SHA256
8dae1fe4730ab200635bd394f2db8abb6f5fb9a4e6b6b1f16df1b4dadeb6dae4

SHA512
3b7ff526918005bb79168b8eac4ca7790ccebd9371ca77980653fafaf23467bbda2a1ca9a676dcfd968c41e5d2737b40c07628388646644eea008c27dfc30995

Download Submit
C:\ProgramData\E54B.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCC
Filesize
194KB

MD5
ad25d0a16e6aeb1a0c1dcacda3d0383d

SHA1
57a384918c30460985f29ad97e7455c93b4ae19a

SHA256
4463655f658c98494d805a92eb290821cf74f8091589980a0d9cba7d5f50e01b

SHA512
5768570511030af056af1d2ac920bb92269b8d3edde4185d0ddcef36b6fb6b1fce5563512de19c8c2c4410cedcf6c051cea5f5751a44139cf9f1f9a7c6c6e017

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A848E936-46E2-4A78-9F25-C431826A27A3}
Filesize
4KB

MD5
cdb1b4413d4713ccbf1bdcad1404cdab

SHA1
3da5d310818f73fdfb2db4c91b4c27f7717ae8b0

SHA256
8ac954ff2c449a0231c887af3c51344661336e9e5501a2b1f976a1a4cf2d9bad

SHA512
27da97904f8f0d6d9972260f4fc144507a6e62d2a4c511d70412fc57ada82bf38f0af2b4562894fbf72cd425fa2e6504b912d609f24dfb31c286db4a5a97ee2f

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
08e492483920e933012e62a37a752b63

SHA1
4ebfb88648de3af4c360355b9f5fdfff9736f1e6

SHA256
ee039b03c90d1bfbf32e3d26816c58c53c39ebf5adf19b0dbbd9403d56ff337f

SHA512
d63193026d0bae6a611d835512ab148479f33b57773a58489a4ce234c7595873a4a799d882c94036c7981dc78fdd32844e1593f012d5283256309d0ac8f74620

Download Submit
C:\jC7CNxlVt.README.txt
Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
Filesize
129B

MD5
c6916d469e83dc33d6bb83b8b35b3905

SHA1
708d2f73c76e33677515bdedd411ec87f19c4f2f

SHA256
392e235c21da74cc672f8b2f6d4cfd9b02b7be03b5713cc79fd98aa156489c80

SHA512
4b32d26212aca8d26a21e4ef94e5d8532f4b17ae5c655903716777ea7fc69f02d68eec1e7868ec0d5961a269695fb4ebbbf76fd2785141966190b659c4207465

Download Submit
memory/3968-2-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3968-2812-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3968-2813-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3968-2811-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3968-1-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/3968-0-0x0000000001520000-0x0000000001530000-memory.dmp

Filesize
64KB

Download
memory/4728-2825-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

Filesize
64KB

Download
memory/4728-2829-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

Filesize
64KB

Download
memory/4728-2828-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

Filesize
64KB

Download
memory/4728-2862-0x00007FFC00310000-0x00007FFC00320000-memory.dmp

Filesize
64KB

Download
memory/4728-2863-0x00007FFC00310000-0x00007FFC00320000-memory.dmp

Filesize
64KB

Download
memory/4728-2827-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

Filesize
64KB

Download
memory/4728-2826-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads