Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 15:34
Behavioral task
behavioral1
Sample
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
Resource
win7-20240221-en
General
-
Target
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5526.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 5526.tmp -
Deletes itself 1 IoCs
Processes:
5526.tmppid Process 3312 5526.tmp -
Executes dropped EXE 1 IoCs
Processes:
5526.tmppid Process 3312 5526.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPqgbqn1w_9nd74khax31giwgjb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPw0vi0ba2f6gaeqofd972z8auc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPav0b6tylouqfsq56smzuxy87d.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe5526.tmppid Process 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 3312 5526.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies registry class 5 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exepid Process 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
5526.tmppid Process 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp 3312 5526.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 36 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeImpersonatePrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncBasePriorityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeIncreaseQuotaPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: 33 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeManageVolumePrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeProfSingleProcessPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeRestorePrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSystemProfilePrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeTakeOwnershipPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeShutdownPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeDebugPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeBackupPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe Token: SeSecurityPrivilege 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE 1436 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exeprintfilterpipelinesvc.exe5526.tmpdescription pid Process procid_target PID 408 wrote to memory of 2824 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 89 PID 408 wrote to memory of 2824 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 89 PID 408 wrote to memory of 3312 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 95 PID 408 wrote to memory of 3312 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 95 PID 408 wrote to memory of 3312 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 95 PID 408 wrote to memory of 3312 408 d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe 95 PID 576 wrote to memory of 1436 576 printfilterpipelinesvc.exe 96 PID 576 wrote to memory of 1436 576 printfilterpipelinesvc.exe 96 PID 3312 wrote to memory of 2336 3312 5526.tmp 97 PID 3312 wrote to memory of 2336 3312 5526.tmp 97 PID 3312 wrote to memory of 2336 3312 5526.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"C:\Users\Admin\AppData\Local\Temp\d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2824
-
-
C:\ProgramData\5526.tmp"C:\ProgramData\5526.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5526.tmp >> NUL3⤵PID:2336
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2124
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{51D224B0-A549-4015-93CF-10B5918BB20B}.xps" 1336207525079000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5155d28967354179b7a8c33f5caa84e64
SHA1872d2eecc08411b79e9223f08d3ab6c3ec2484e8
SHA2560b34afddb6e3c968580e915175e87dae31497b3b211b4862f79d821f4870fd21
SHA5125d7cea8895cafb15d252c0abf5f2fe2585ab37b0df94fc67add121876be1f74560a446b1a7aac63c0d4ec52a821590a14ceb9379c3a00571c7a619ab8095cb95
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Filesize146KB
MD5cc749c0b9c1c135a3a8ae517be2ad6eb
SHA116f9e3d52eb41ad6d1bb64d8ceecc7b2b6fe73b2
SHA256608e6cf2e5269b4ab2ac9712180225aa1b8b8ffa0b27291528713dc7893acce4
SHA512209cd2d4b05084e0768b0a9039984ee5993bbc6c772491e138bb3f6a6a6615391bfd451cce3cf9777320a081aa4a615c5cf3a3cab6e967c76e2df286ad25f657
-
Filesize
4KB
MD5ebc89f1c5ca41fa44000511b4b9246e2
SHA1483d2633b24710a7c2187bcaff861be4d8c6f845
SHA25664198fcb57193552da8956960e80342501e86256196b83af8b131e2e2d0dd161
SHA512c5cb030cddc489d51253ea8da3bb68ad71220116142da04a6f5256abadd70fd4a5b9abe762e97915dd8db1f3b3b5356310722b584eb84231ce333f5a2bdcd0a0
-
Filesize
4KB
MD5008ff7cb90df200af3efdce8b9e6bfd9
SHA11827aeff78b458dcdd17302b1590595430f25170
SHA256053ce41070f323e6c0c968e474d58ff8ad20da6fcf4392efc61dfeda740868f6
SHA512a4251efab94278f408e4cd6eb831de5826aa8245b3a3fbd9beb2367779708246319d34df907b0f7125b253ac8fdfa0f56de498632f0f7bbfa297be0edbf33c75
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD58b3d63f2d18c9b6b1fff0052fc371c70
SHA1e9825a4178660fa541501eb080698a71401f8555
SHA2566e828475f2a38be6be5b5ec961ccc3a9a15378ba67ba0c11972d4599cec5e2dd
SHA512b25111b9eb41da174e0e3edeff348c64e14e01206b36d6605c7a73616f376243b1be1c75379c1bdd33831359240cd574cc257161c67a88095e5ee52e8700a8ad