Analysis
-
max time kernel
92s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 02:19
Behavioral task
behavioral1
Sample
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
Resource
win7-20240221-en
General
-
Target
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8A20.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 8A20.tmp -
Deletes itself 1 IoCs
Processes:
8A20.tmppid Process 2096 8A20.tmp -
Executes dropped EXE 1 IoCs
Processes:
8A20.tmppid Process 2096 8A20.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPdp2xw4p31uji727oroi5uw_vb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0xnij9x_ky3_pqqvzj8a10tce.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPvns9dwe581k0n26i6uktkbk4b.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe8A20.tmppid Process 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2096 8A20.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies registry class 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
8A20.tmppid Process 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp 2096 8A20.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 36 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeImpersonatePrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncBasePriorityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncreaseQuotaPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 33 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeManageVolumePrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeProfSingleProcessPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeRestorePrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSystemProfilePrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeTakeOwnershipPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeShutdownPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE 4408 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exeprintfilterpipelinesvc.exe8A20.tmpdescription pid Process procid_target PID 2044 wrote to memory of 5100 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 92 PID 2044 wrote to memory of 5100 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 92 PID 2044 wrote to memory of 2096 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 97 PID 2044 wrote to memory of 2096 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 97 PID 2044 wrote to memory of 2096 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 97 PID 2044 wrote to memory of 2096 2044 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 97 PID 4944 wrote to memory of 4408 4944 printfilterpipelinesvc.exe 98 PID 4944 wrote to memory of 4408 4944 printfilterpipelinesvc.exe 98 PID 2096 wrote to memory of 4848 2096 8A20.tmp 99 PID 2096 wrote to memory of 4848 2096 8A20.tmp 99 PID 2096 wrote to memory of 4848 2096 8A20.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:5100
-
-
C:\ProgramData\8A20.tmp"C:\ProgramData\8A20.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8A20.tmp >> NUL3⤵PID:4848
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2628
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{12028925-39B7-4269-91E3-376A42A9DA82}.xps" 1336202790225700002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a59fbc5f3b4314eac7573286cdd0e6bc
SHA1f22771d999fe90d8d098bb10f8f04eb6e0797bce
SHA2567c5ef8105077fdfb0df6b99796e64181b4988c48d2072c66aa5b43a394851841
SHA512a00a6cbffd45afdc3fdfaa3c748b00c610b71aa385836e83af8cc27d318d1d6b6680064a7912398f988cb2e33f6826e995abd03344e538467b93c554e71083a6
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD5894ee1ef05b5f1ae528c59bdbed44eb2
SHA11ff2911b5e031de0d2fccbbfd9735a54e7f57ffc
SHA2561fb9cbf3f0c7ace13c8b19bc49a63cccc288e0ce2451a9c8475810a9674be5a9
SHA512cf8dfa49044f929df03d73d49a72a5666dfa1dec5967efa56882da00d8ec6c02e82e07dd89e26514d97b7d193a3da42eff603c2e87a282c925595c93b707283b
-
Filesize
4KB
MD5fd4261e039a36a98fd568023f9d5e50c
SHA1eae15f7d54e3cf1e403767e8ba3998142ad21bbf
SHA256edb03ad16234a6bf2f9e85f035a675b94be0ca6395d7bbe572d43639cb890581
SHA51231f7c453f5c4f23142be49228aaff3f105a7cbc3b2b5fedbda04e912147a28397e83de2bbd5f22ec362d0520894c25e6612aba4889b4face7659cb2f510c987a
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD5a752bcf2b559019a2fcf1b8dd2927eda
SHA10ebd2d52f90498e45e852ef76d1b03150f2733b5
SHA2561f9fba5a02a4b1486ecef6155d83218a2c915a5a87d788eefa562fe9275e1353
SHA512e7133848f8e46306bda0cfe63f8eee86f5d66dfc39839cbd5a55cb381543c85d3ffc6e99b8e4ce425658ec78bcbb3d79f43530a477302395ecaffb9572700326