Analysis
-
max time kernel
129s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2024, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
Resource
win7-20240221-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
-
Size
2.2MB
-
MD5
08cee68cb913dd71800f0283c49af6d3
-
SHA1
eb4058134cd74c681445a1a81c31ef729c80a7ec
-
SHA256
5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad
-
SHA512
1052130474915e5256c1bcc95636489535e38ca23cfb615e6b0e8b6c37c6c6ba89aa793a9aac9321d843d0cd0c6f10c85a30b2b689531c457638ce26555276fc
-
SSDEEP
49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\bQ8ODxIi2.README.txt
Ransom Note
~~~ AlphaCat ~~~
>>>> Your data are stolen and encrypted
>>>> What guarantees that we will not deceive you?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
Life is too short to be sad. Be not sad, money, it is only paper.
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment.
>>>> You need contact us via email with srenshot of btc transaction and your personal DECRYPTION ID
Contact via Email with your personal Decryption id !: [email protected]
Send 400$ (0.006 BTC) at this address --> bc1qkr7wxuqwet9w6920vk94p7npkxh33fc7prv55q
>>>> Your personal DECRYPTION ID: D53F15BF767167BC1ADF744D4AE609C5
>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
>>>> Warning! If you do not pay the ransom we will attack repeatedly again!
Emails
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/2380-2-0x0000000004CA0000-0x0000000004ED2000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-8-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-20-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-44-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-31-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-18-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-16-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-14-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-12-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-10-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-5-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-6-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-64-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-68-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-66-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-62-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-60-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-58-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-56-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-54-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-52-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-50-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-48-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-46-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-42-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-40-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-38-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-36-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-34-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-32-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-28-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-26-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-24-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 behavioral2/memory/2380-22-0x0000000004CA0000-0x0000000004ECC000-memory.dmp family_zgrat_v1 -
Renames multiple (602) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation CF76.tmp -
Deletes itself 1 IoCs
pid Process 5216 CF76.tmp -
Executes dropped EXE 1 IoCs
pid Process 5216 CF76.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP7k3udbabi_f7l55ialwmg2vcd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP02y5tayi_8u50cwixtlq0f11.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0ls3b49mp6ciut2g6esz9ofib.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bQ8ODxIi2.bmp" 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bQ8ODxIi2.bmp" 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5216 CF76.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2380 set thread context of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\WallpaperStyle = "10" 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bQ8ODxIi2\DefaultIcon\ = "C:\\ProgramData\\bQ8ODxIi2.ico" 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bQ8ODxIi2 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bQ8ODxIi2\ = "bQ8ODxIi2" 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bQ8ODxIi2\DefaultIcon 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bQ8ODxIi2 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp 5216 CF76.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeDebugPrivilege 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeAssignPrimaryTokenPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeDebugPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: 36 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeImpersonatePrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeIncBasePriorityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeIncreaseQuotaPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: 33 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeManageVolumePrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeProfSingleProcessPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeRestorePrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSystemProfilePrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeTakeOwnershipPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeShutdownPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeDebugPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeSecurityPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe Token: SeBackupPrivilege 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE 5260 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2380 wrote to memory of 2360 2380 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 88 PID 2360 wrote to memory of 1788 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 101 PID 2360 wrote to memory of 1788 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 101 PID 4328 wrote to memory of 5260 4328 printfilterpipelinesvc.exe 104 PID 4328 wrote to memory of 5260 4328 printfilterpipelinesvc.exe 104 PID 2360 wrote to memory of 5216 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 105 PID 2360 wrote to memory of 5216 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 105 PID 2360 wrote to memory of 5216 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 105 PID 2360 wrote to memory of 5216 2360 5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe 105 PID 5216 wrote to memory of 5496 5216 CF76.tmp 106 PID 5216 wrote to memory of 5496 5216 CF76.tmp 106 PID 5216 wrote to memory of 5496 5216 CF76.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"2⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
PID:1788
-
-
C:\ProgramData\CF76.tmp"C:\ProgramData\CF76.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CF76.tmp >> NUL4⤵PID:5496
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4600
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A273A684-E4A8-452A-BAB4-5F15FA7AD538}.xps" 1335934500400100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fac04019527681e91fa2bd54bb85615b
SHA1f6fb2d12617eec5358786101b727f3428582c6a7
SHA256f2938b3833c6db656a8ae178bb6b20532a280c5856e6e959e0d32303e106d8c9
SHA5125c3234c3ba38395e82150bc0cf8c39393b79c2dbce2739e9c97e978304ae7537bb5e801aa0f46e7ba174c778d222564507955e69c7f0fafcaa82a3753c2fd23d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize2.2MB
MD5ad27bb5e8ddab44affeac2e83c1f6c1a
SHA11b1a62f0a837354e6ed4242c28ad15190477ed88
SHA256c8addfb018bae86d877e0b6818d1353a60ad9efa1814900d52c1aa18a7a49d2b
SHA512a1fe709da79e0df89d3e097a29a97b1914ecadfca906b40cc526118c232ea7b693a16ea2e5b1a1715269a503eb193d558686a523f01a7dd4889c2a9d61e7c000
-
Filesize
4KB
MD597e754a18bbbcd55d3af14e3b4dfbc8a
SHA17899983167c7fe062266d0c2f8f66cecfaf08ace
SHA2560808564499c047f544b8dc6463072323dda7f99524d92edfec39a597565c4913
SHA512e3d1f37a74e5975e152241b8614bb5306633c28f33964601f236f116984d39a0633b789dde2ae3b3cf94081b576e6f2ec28f54589d4c27caa27cbd73acd4c291
-
Filesize
1KB
MD5c3150a2c90655c6bd338de444b58093e
SHA1579ca6589b30aa868ef2451e24306e5e705a5e7e
SHA2567f67ce362e49832d66c321fdde1a403cc6220bf9950bbf7fc75d654ec1615801
SHA5121df29a47256b3b99038aa1927bfa377ef803db1f27c414db68c9da8103e2fcefefafa216ad93f2da33198de9244081616a7fda8a70cd048623bdf4a6528a377d
-
Filesize
129B
MD50a7794458eccf26fe322d7d4c626fe0b
SHA1ea55ff12b658f1dbed103464eecee9f38b4c95f1
SHA256dd15d166c543a39dffaa7da3963fe2a54ac93d000ce7c1ccd4eb8d5545a976f8
SHA512c19ee41263b6030eca8c4694bd379a857d25f14fe98b543f2979cdd8fbcdaf6ffb44bed1af0d99e851e7deab88a64333d42798ae01e1ab260389ea487670e14b