03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Size

147KB
MD5

6ac5cd70e043576b82a313273150f0d9
SHA1

2c3b2ed20f1e8e630c61109288bd0ac64b5e0329
SHA256

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1
SHA512

c77a84cc5ae2cf246278a736051baa44d1f15496547a2bfbba2cbd65e207b6e17a6b9fb4a221b4ec4286c4d80fa65709854cbd46d14a4548fbcf9fb72d01def5
SSDEEP

1536:nzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDpAv5wo3Lk6eEVNAhaxlxxFmwUk:YqJogYkcSNm9V7DpKv3L35Sslxx0wT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\zpvmjd9JY.README.txt

Ransom Note

~~~AsiriumSquad~~~ >>>> Your data are stolen and encrypted. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment. >>>> You need contact us to decrypt file. buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $300. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Moonpay.com Important!: your pc, your personal life, your liberty is in danger ! take this serius if u dont pay whe Must ruin ur life otherwise no one will pay. Payment informationAmount: 0.004 BTC Bitcoin Address: bc1q07v4dm6q5ln5w3ac93ue8jdvcjmq8tg3tvlmlr Contact us with Your personal DECRYPTION ID and screenshot of PAYMENT at: [email protected] >>>> Your personal DECRYPTION ID: 8D9634EC6DA0FEAA9F738826B7A2D825 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

[email protected]

Signatures

Renames multiple (570) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7754.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	7754.tmp

Deletes itself 1 IoCs

Processes:

7754.tmp

pid	Process
4176	7754.tmp

Executes dropped EXE 1 IoCs

Processes:

7754.tmp

pid	Process
4176	7754.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPsgu7bgisr7_mvz5m7ya6geosc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPulxuv7a0uw2gjtla3wop3rgd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP8c0puignny8313n95rz6eccoc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zpvmjd9JY.bmp"	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zpvmjd9JY.bmp"	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7754.tmp

pid	Process
4176	7754.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "10"	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Modifies registry class 5 IoCs

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zpvmjd9JY\DefaultIcon	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zpvmjd9JY	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zpvmjd9JY\DefaultIcon\ = "C:\\ProgramData\\zpvmjd9JY.ico"	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zpvmjd9JY	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zpvmjd9JY\ = "zpvmjd9JY"	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

pid	Process
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

7754.tmp

pid	Process
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp
4176	7754.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeDebugPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: 36	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeImpersonatePrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeIncBasePriorityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeIncreaseQuotaPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: 33	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeManageVolumePrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeProfSingleProcessPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeRestorePrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSystemProfilePrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeTakeOwnershipPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeShutdownPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeDebugPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeBackupPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
Token: SeSecurityPrivilege	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE
1144	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exeprintfilterpipelinesvc.exe7754.tmp

description	pid	Process	procid_target
PID 4184 wrote to memory of 824	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	86
PID 4184 wrote to memory of 824	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	86
PID 3704 wrote to memory of 1144	3704	printfilterpipelinesvc.exe	89
PID 3704 wrote to memory of 1144	3704	printfilterpipelinesvc.exe	89
PID 4184 wrote to memory of 4176	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	90
PID 4184 wrote to memory of 4176	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	90
PID 4184 wrote to memory of 4176	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	90
PID 4184 wrote to memory of 4176	4184	03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe	90
PID 4176 wrote to memory of 3048	4176	7754.tmp	91
PID 4176 wrote to memory of 3048	4176	7754.tmp	91
PID 4176 wrote to memory of 3048	4176	7754.tmp	91

C:\Users\Admin\AppData\Local\Temp\03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe
"C:\Users\Admin\AppData\Local\Temp\03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:824
- C:\ProgramData\7754.tmp
  "C:\ProgramData\7754.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7754.tmp >> NUL
    3⤵
    PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2136

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BC4DCC17-043B-470E-854F-D26B58F63032}.xps" 133627095297160000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\LLLLLLLLLLL

Filesize
129B

MD5
95cf15083a502fb4d296023d3ab1beb9

SHA1
ac346aa8c81484db0d26652ba5e6aae672830f7a

SHA256
f9f27685bcdb67b35215fb3f4493ec74f54738dad4d8c3e8f388a2539328ba07

SHA512
086122c2a4770b8fa61b353fa2d5048652a273b0bc2dee9dc1b204ff624953644f12463656dca83a868b389894097cb502e2966ba5acc6cb6eba01fc8b782ed1

Download Submit
C:\ProgramData\7754.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Filesize
147KB

MD5
8471dc955e68175222e6e5adc260db41

SHA1
2e1762cd71a72330118ebd21b4c48541b464bc0e

SHA256
062e40962a306d2909c574e36945b8a8ad411e79efd918b8057a888230dc48a4

SHA512
df966fafc5a5cae1acbc782b5b6eab50e8c97de841f14163330ac9e035287b9331d8cf1941687ae43d18cb6a713ee85647d2c440ad204f239babb4dfb4c464d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21752691-2AE8-4E4C-A952-77D6BA5AC55B}

Filesize
4KB

MD5
e45d3436dd2a0b5a80b886a4e0b39190

SHA1
c2ffdf0c6cf89109be4b6e9a4e8182f0391a5530

SHA256
74f2e843a9fa1f2b22eb7430474f66cf2a413e01a4de2c2a6ef7f1172daf16b6

SHA512
6519abc4942e2edc7bea79a414689ef4a3dbd67e4d0191ed276f45bdf6f189745bafe3868d6845baae0c1e9f6aeb96726c341740ea80e785982911e727cbcafb

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
f29b9638cfbd2bd939fc177edd089ee0

SHA1
12555a1adfb4ffc6952bef675b1aa72e51ef9d8a

SHA256
1a13904e2baed7f84e4a99134c23bd461047c765052207f76ef80663ae40de21

SHA512
96cc6e7f6da72eadfd1e94ade72ed55de70d73f4cc9f9ffa4fc0b8795e20eb05a322cba67b02fba6e9d592bd28a63fa563f5c3f475680aad4b1f8868a0bc750b

Download Submit
C:\zpvmjd9JY.README.txt

Filesize
1KB

MD5
22467958b4d0cfcba22d879bfc503f74

SHA1
df5e771eb38e19e3439a41f037f6d2a04e6c80e9

SHA256
6e7fd5418cff79e2e5b6b64aa78be06338c2ed62c3887b382180c0fe6a0b67eb

SHA512
effd5fa8c8b47ba8aad3d461b054349b624898bf2b89dd9ae0af7ac8628e4475f3832408a4b1a0a3ef14653f1a0da7fd093f50b84d14dca37595eda286aaf76b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\DDDDDDDDDDD

Filesize
129B

MD5
bbacb56138fa21a86bda89266562deb2

SHA1
c5a6138bbe83ba8c1543a18f637eff92e5223b42

SHA256
805c2484d8f9f7647b29625f86e46a03aef88fd9fa7e6d2d9a2a0ae43802f4c1

SHA512
7e8b7bc59417314a25092a37a16de5f25bcb3b22fb974a87d47094ba28c9b4b417560ad6c16cb1c7ad5d28ecc6219af4a85fd642cbe192e2e81832725646b714

Download Submit
memory/1144-2714-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/1144-2715-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/1144-2716-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/1144-2713-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/1144-2712-0x00007FFCE6E30000-0x00007FFCE6E40000-memory.dmp

Filesize
64KB

Download
memory/1144-2749-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

Filesize
64KB

Download
memory/1144-2750-0x00007FFCE46E0000-0x00007FFCE46F0000-memory.dmp

Filesize
64KB

Download
memory/4184-1-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/4184-2-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/4184-0-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download