0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31

General

Target

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Size

146KB
MD5

668e75099ba454fa1cca10da33a9684a
SHA1

0adeef58c872f8fd1143070cff8fb2415a258189
SHA256

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31
SHA512

bbc5a1e3bb0b64b4ae646e0d6dd1651ffa7258db87fe07e365a4cbff09a54cbbf9ee21ea4cf05b9f8e34ea122af85f4fb4b434da38705bee8b8ec9afd0f1b323
SSDEEP

1536:rzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRM8o9cH789xVqw9sdFoEAUyz:UqJogYkcSNm9V7D/oSHQ9xVqw9sdjAT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\QFXlqRR7Y.README.txt

Ransom Note

>>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 39919F8926ED7E7C8A1D9E7EBBA44998 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free with your personal DECRYPTION ID message us for decrypt https://getsession.org/ 05b8d7bdf4c2b1a832b2256eb562f51ad69f2f9d8d274c6dc269cb9be5449fa84c

URLs

https://getsession.org/

Signatures

Renames multiple (579) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPe_gv_qwz048ukngvov3iwrem.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP5a6je39ajg_oz70iqf60f10.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPe1ts4rf0lq0tqbwhdqd0y2yl.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies registry class 5 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y\ = "QFXlqRR7Y"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon\ = "C:\\ProgramData\\QFXlqRR7Y.ico"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

pid	process
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 36	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeImpersonatePrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncBasePriorityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncreaseQuotaPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 33	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeManageVolumePrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeProfSingleProcessPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeRestorePrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSystemProfilePrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeTakeOwnershipPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeShutdownPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE
4820	ONENOTE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exeprintfilterpipelinesvc.exe

description	pid	process	target process
PID 2724 wrote to memory of 4416	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe	splwow64.exe
PID 2724 wrote to memory of 4416	2724	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe	splwow64.exe
PID 1408 wrote to memory of 4820	1408	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1408 wrote to memory of 4820	1408	printfilterpipelinesvc.exe	ONENOTE.EXE

C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
"C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4332

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1408

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{03F2CA7C-EF1C-48D0-A551-A23283096EBF}.xps" 133610726834660000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\AAAAAAAAAAA
Filesize
129B

MD5
1e86a294e1e323abff058958e26f8620

SHA1
267527974febb275498acdb287ec8d81083c15ba

SHA256
d9506b4cb0af3cc30dfc04478c687eb6081dae92e544efffcc639a2bf227bbb9

SHA512
30362dcf4439d85f05d46d953ded908fcef199054d34c417fb1d6763e599eb433483be28add525ae6d9b1f4ac7d66b3eb9e43f0770e4db1153f7237d63b20a67

Download Submit
C:\QFXlqRR7Y.README.txt
Filesize
1KB

MD5
52f35b0e0752bca1319f52a142a54b47

SHA1
65fe3882bf8fc92b691c82da361b2a4c3fe3ec37

SHA256
cbdd9b07e17a5b7c5c367eab31a405e7b539a19abfdcc103d25fb6f50e6f3c51

SHA512
74f4edd1437989c7369660438450e88b564cb8a60dcb996568feefb06e32f8c49d1bda93ff38ca95ddd1e8dd2dca973bef84f24974d3dfed6c4fc8b5d7bfcca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C2F51E43-3818-48CD-BE10-9046059996F2}
Filesize
4KB

MD5
4deb55a43a427a49f1740e1d98f240c7

SHA1
9ef7715e6eef8d152540066f73ab478be90dee64

SHA256
4c4a0e03c8cc2692e18179b5670effb03adab5873b02f0f6cc5c3b7641e03852

SHA512
ab0080423c8109499758c3911accc54fdafdbc0aa8a0f67a0dd5d78fd699406cd6214b5bb4c88cef8266662e335e8655f281b6f7d5addc539937a3e97981a130

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
cae9239166d25d5a65b63d0e70b55d76

SHA1
34e6adce3aa289b7dc4e83009c1ad181b395bce6

SHA256
a713d0500d62ca0ae914428bbf2e46d564643e9c28ab05b40ef1bc98c221e4cc

SHA512
9c3de9665b06cfc958e56d90f19582951ca31e9de5d2a441dc806861ce7fac4b3565b72696c2d5b20bfaaab5a938673fec331d16ba84c7b49e3d4730ad34b2f3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\DDDDDDDDDDD
Filesize
129B

MD5
92f0f333ee374843d82c5284c2869cd2

SHA1
ddfd5d1f09916c04ffc904a083a6520d05153690

SHA256
fd77fdcfdf84ed2ece787762a7aa0908c94c27e276c21f2bc74b9069ae339b3c

SHA512
e8c3c35504252704d8aac56aa5cd76fa16ca5ae8e84585acd2adefb865e529c5e2bd708c8d0e0d5ba7e90070a2f4b0251e5c9b91c68cf7d8ca1e77e29e0b6b99

Download Submit
memory/2724-2-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2724-0-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2724-1-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/4820-2720-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp

Filesize
64KB

Download
memory/4820-2723-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp

Filesize
64KB

Download
memory/4820-2724-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp

Filesize
64KB

Download
memory/4820-2725-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmp

Filesize
64KB

Download
memory/4820-2726-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmp

Filesize
64KB

Download
memory/4820-2721-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp

Filesize
64KB

Download
memory/4820-2722-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads