43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Size

350KB
MD5

2ca90a883f3db6d96bc5722be2fb8bc2
SHA1

0e8c787283fa2c046f388ef0c5fa215541a97043
SHA256

43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792
SHA512

c87f815182108f62fffd502d590284ae3f0f4c6dabc823271da87dbe5f54c843eb65cc690314e0ac10188b3e43c258ace549567fe7380b4d217c2befbcde3c74
SSDEEP

6144:9yAIPCuAZOXWUVg1XN5MC81xSNmG+f0bwu/WekQTp4Aum1:9MPCuAZOXRu1zMd1xaH+f0bn/Wexp4AJ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\iHpE7aGA3.README.txt

Ransom Note

~~~ ############################################~~~ YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: 9ZBmWdet8f1JlGuD6wXnVL7YEzCpFk5QoIScRsh4KgvNqUPy3TM02Oxjbai AHrYzBOCDmMiT9SdByUHVnikJS8i3JN83X5wzhTArBh59XFkyhocrfLLJOM 4PF6jRhHv3PCAj9dH0qWwLbBerVrYVKKsqFs2WTAicFxaxi05fJyUPRpZXgG p7mWr6RgYgXEbUXYldb26gl9CDAdzifhk5IMFRHR1yZk00U2tGTG3oyzZo3s UuC96xy0ulnU4yjd6ahHB5KWGl9sozpjo6OWitVD1ZaIF0ID1o0ILJih6ptPGB CONTACT US BY MAIL: [email protected] CONTACT US BY MAIL 2: [email protected] CONTACT US BY UTOX ID: 34BA12E4BE532885BAD25BDC4EFA0BCC4145B76B58A90E0C4E2A80D37A5A9F30E03477050899 Download link UTOX: https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com

Emails

[email protected]

URLs

https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe

Signatures

Renames multiple (607) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	84A2.tmp

Deletes itself 1 IoCs

pid	Process
4592	84A2.tmp

Executes dropped EXE 1 IoCs

pid	Process
4592	84A2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPeyc9oq0n9lnqzvtw_n5190e4b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPmcb1j_6jlb01ao4ik2uobcc0c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPn9up82vn_00wqlng5_pla8hpc.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4592	84A2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp
4592	84A2.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeDebugPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: 36	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeImpersonatePrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeIncBasePriorityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeIncreaseQuotaPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: 33	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeManageVolumePrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeProfSingleProcessPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeRestorePrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSystemProfilePrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeTakeOwnershipPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeShutdownPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeDebugPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE
4364	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 4780	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	95
PID 4556 wrote to memory of 4780	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	95
PID 4556 wrote to memory of 4592	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	100
PID 4556 wrote to memory of 4592	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	100
PID 4556 wrote to memory of 4592	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	100
PID 4556 wrote to memory of 4592	4556	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	100
PID 2332 wrote to memory of 4364	2332	printfilterpipelinesvc.exe	101
PID 2332 wrote to memory of 4364	2332	printfilterpipelinesvc.exe	101
PID 4592 wrote to memory of 2028	4592	84A2.tmp	102
PID 4592 wrote to memory of 2028	4592	84A2.tmp	102
PID 4592 wrote to memory of 2028	4592	84A2.tmp	102

C:\Users\Admin\AppData\Local\Temp\43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
"C:\Users\Admin\AppData\Local\Temp\43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:4780
- C:\ProgramData\84A2.tmp
  "C:\ProgramData\84A2.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\84A2.tmp >> NUL
    3⤵
    PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3464

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B8D3AF8B-3556-442B-ABAB-FD51FFBECF7D}.xps" 133616105914290000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\IIIIIIIIIII

Filesize
129B

MD5
1fe7fc89e4083af7ca2e1949cabca59a

SHA1
f4347c240b7c9653af409817068664803ead284e

SHA256
3e123cd9ae5af509f6edaa952910d27f3c5fb216be652c7e9b95a4ad8c03ae3c

SHA512
97bdd4d94c081c35ca6e4c702c182595e64f0e305023c3d3015077f1b2c18595e4a4ddb8c1af4f9990f84b52765bf250c9c77d33f7835853556eee8f25faca0a

Download Submit
C:\ProgramData\84A2.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
350KB

MD5
ec79c29385d9c733a90fbbc72f7bb247

SHA1
d76195ed8f0679a4ecace016aa1da9a78e67385d

SHA256
6cea23ff8990bc7f9f11761f5ba882aae7c90b57137ed385a792f5640fdc9dd3

SHA512
3b52eb5d3e2e8fb99d40df02b73780299f4c9436c61cb2a0b6b7d2548853dc6fb3a83eb294da362d345ee10b832ce65f4385a49ad00be40211703258902425f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{361B1435-8CEF-4690-AB4F-B713A92FC811}

Filesize
4KB

MD5
a435579905464ada6cff77d08ba44e90

SHA1
786f7d610d7be3dc763fb12faa575457703be65f

SHA256
bb442972658b47f0cbc3bda644547259935aa03ec3fd4c6cf88c2a51e0b7cc79

SHA512
5b8d3504e1ffd2880b5453469d06cddf55141926d2248a170d5222bda46316b7e9d036c4985d3c4ee518d3fa4a361f55bbde51f9a03aa40c70f07eeefecf4696

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
6ee79e8329fe4cc7ea8c67cbaaa2c33d

SHA1
4205d20731de8d118ae26941ab90364ba9c24635

SHA256
4b2df6ceceae93746fda05a8a2f77d9ea4a4095d7373aa4d649bef8fe9c75621

SHA512
789db1145baa5143324bc6394e85ab315bd38ed547220e3d08c9d90304d3ba56a6718a05ddc46b6bbef794ca6ce1911d2625f1a53b5983c671cf02d23766fb46

Download Submit
C:\iHpE7aGA3.README.txt

Filesize
1KB

MD5
481f6946b253bb263007b53a2010c7a4

SHA1
fd65cc5ebca40e832d31601e4304e0e1e2f5ea89

SHA256
34b4b51dc57d0cd622e0c06811701b615d01a85f8c3bc41f13ce9304b99398f7

SHA512
a6e1f48429fb3649180ae94a3f826684b16d1db9dfc699048185182049fc7058e517e3583474b1124bfa4425057633967ec07213fb02af9481a5cf8a0ba1aa98

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD

Filesize
129B

MD5
be7165174ae0767fb8f117dbc8b22b0b

SHA1
2ff6f52e1b9d770f9be751d3d556aed59e736540

SHA256
5286cb876ef38f30c48dbe9575b85684aa91231f6f06b782aa4ac60477945d38

SHA512
2060dd2448605a10be00b0079e48e682da21d03e25ca5fd8a72f8498aa7785454d3bb049106074395a2682be615894b34414313fe981b671c6fd334c0614c6cd

Download Submit
memory/4364-2761-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/4364-2760-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/4364-2794-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

Filesize
64KB

Download
memory/4364-2793-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

Filesize
64KB

Download
memory/4364-2765-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/4364-2763-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/4364-2762-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/4556-5-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download
memory/4556-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-2759-0x00000000023A0000-0x00000000023DC000-memory.dmp

Filesize
240KB

Download
memory/4556-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-4-0x00000000023A0000-0x00000000023DC000-memory.dmp

Filesize
240KB

Download
memory/4556-2743-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-3-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4556-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download