0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31

General

Target

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Size

146KB
MD5

668e75099ba454fa1cca10da33a9684a
SHA1

0adeef58c872f8fd1143070cff8fb2415a258189
SHA256

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31
SHA512

bbc5a1e3bb0b64b4ae646e0d6dd1651ffa7258db87fe07e365a4cbff09a54cbbf9ee21ea4cf05b9f8e34ea122af85f4fb4b434da38705bee8b8ec9afd0f1b323
SSDEEP

1536:rzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRM8o9cH789xVqw9sdFoEAUyz:UqJogYkcSNm9V7D/oSHQ9xVqw9sdjAT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\QFXlqRR7Y.README.txt

Ransom Note

>>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 39919F8926ED7E7C71BF880DDDD2C900 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free with your personal DECRYPTION ID message us for decrypt https://getsession.org/ 05b8d7bdf4c2b1a832b2256eb562f51ad69f2f9d8d274c6dc269cb9be5449fa84c

URLs

https://getsession.org/

Signatures

Renames multiple (609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPxqo6j6tj4hywi0d8t6gxa84vd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPn4w3ej1poxo2aw_c7vka9mvbc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPocexs70nn38l82a2a5yjl6tfc.TMP	printfilterpipelinesvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies registry class 5 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon\ = "C:\\ProgramData\\QFXlqRR7Y.ico"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y\ = "QFXlqRR7Y"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

pid	process
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 36	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeImpersonatePrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncBasePriorityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncreaseQuotaPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 33	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeManageVolumePrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeProfSingleProcessPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeRestorePrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSystemProfilePrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeTakeOwnershipPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeShutdownPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE
3808	ONENOTE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exeprintfilterpipelinesvc.exe

description	pid	process	target process
PID 228 wrote to memory of 392	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe	splwow64.exe
PID 228 wrote to memory of 392	228	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe	splwow64.exe
PID 1520 wrote to memory of 3808	1520	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1520 wrote to memory of 3808	1520	printfilterpipelinesvc.exe	ONENOTE.EXE

C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
"C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:552

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7BD49FA8-386B-47B0-BCC2-EBE81EBB7496}.xps" 133610637756010000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\LLLLLLLLLLL
Filesize
129B

MD5
89ff671a91b7c8ba887a4611f245b396

SHA1
34adfbe204b292b737e959e7f131cd4eb56c0043

SHA256
ca445f757716580c66d4b5a817d9679292ded93e5c0f32f583632a56d12e2f85

SHA512
ccb308508d41071bdd76d0ea4ae8f161a2820a0c5b1757d1170dd01396c92f6921ee77be074db91ca6e7f1f733d1ceab4b01bc44d05bf90fc7804346d23dd937

Download Submit
C:\QFXlqRR7Y.README.txt
Filesize
1KB

MD5
9a7afacffdde37a8b80e176e4cc65572

SHA1
d97ee1a3bedf605e15cc65caaa30fb6875ddf132

SHA256
eae5e4aae412206b0c03f9cd2605fb33dad08e5bae1abb30c58717a080c59118

SHA512
0d72cc704960fba09d359a1e8ac522cfcb01e49cc96dab9670b1a53163b2ea0e23d806391267ba3ac891cadfb64548afa4a512cb6a70512d903ee156defd3158

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
11fd2f578d3b7a67b29f02c8b0c85cf9

SHA1
534857ab885ec2e6eed36cb13191550d4738eead

SHA256
2ebe28f011a83e4aab1b2f2b2e4d71062b0e8825e4cfb49282634d5ac5490681

SHA512
3f7e40492b3ceeff01d554ba443f136b2ef4d2ed46d0170cdc273fe198c97a2bf08c1bb5a4cf6dc861e4355d564d2fbc874c121402f2817b121f8085c629abe4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
Filesize
129B

MD5
34ba7f83815bcf90308063f43085b8d2

SHA1
545bc92dfbf6c3ede3507b20ce85ce0b1e6e9103

SHA256
0f472b20a02c6cf2405f07a895deafce25d253355c88d5e34eceb6cf18a67611

SHA512
3b2528f034ed39b8753493e075a416b5cd5516bbde0371990011f585bc0640ee9cf9295dda19c7f8de73baf0366fa182b64dc00b37d7632fda569ad238c5d349

Download Submit
memory/228-1-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/228-0-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/228-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/3808-2746-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/3808-2747-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/3808-2749-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/3808-2750-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/3808-2751-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

Filesize
64KB

Download
memory/3808-2752-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

Filesize
64KB

Download
memory/3808-2748-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads