d2d690bcb348fcc6afeaba3fb88ebb1c29df30ebec7aaf85fd91ccf4582693a3

Analysis

max time kernel
43s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader 3.0.exe
Size

147KB
MD5

ff4cd364323fc2048c35783a38070aef
SHA1

4736172dd07a3a196343b94dd56b4e4edc0f2bce
SHA256

6dd7522accb6773bade16720b53ca577574defae5b1c7caf4b7fc6826dfed7e7
SHA512

c72b07b78ccbcfad14fa9f7bc3e8a086c29969b4f7f30dbe57a1a173cd82d61a20bf5ead0bc7b627d5d7f7f0def71710e2ce09590be7a886ad6c9414981eb961
SSDEEP

1536:FzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDEtDyI4njdbJBGCkmsQwvB6jr4j:GqJogYkcSNm9V7Dk4F91qYUrnbT

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (526) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

95C9.tmp

pid	Process
2404	95C9.tmp

Executes dropped EXE 1 IoCs

Processes:

95C9.tmp

pid	Process
2404	95C9.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3699363923-1875576828-3287151903-1000\desktop.ini	Loader 3.0.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3699363923-1875576828-3287151903-1000\desktop.ini	Loader 3.0.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PP00s1dvbbtz_0au8qu2jlnfe0c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPeyte4srxhxqbt3dyg79w0880.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPo6o4wdi7s4o5w064u7jhdbo_.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Loader 3.0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

95C9.tmp

pid	Process
2404	95C9.tmp

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Loader 3.0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\WallpaperStyle = "10"	Loader 3.0.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop	Loader 3.0.exe

Modifies registry class 5 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC	Loader 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC\ = "Jw5Jgl9mC"	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC	Loader 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon\ = "C:\\ProgramData\\Jw5Jgl9mC.ico"	Loader 3.0.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Loader 3.0.exeONENOTE.EXE

pid	Process
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
3580	Loader 3.0.exe
4296	ONENOTE.EXE
4296	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

Processes:

95C9.tmp

pid	Process
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp
2404	95C9.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader 3.0.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeDebugPrivilege	3580	Loader 3.0.exe
Token: 36	3580	Loader 3.0.exe
Token: SeImpersonatePrivilege	3580	Loader 3.0.exe
Token: SeIncBasePriorityPrivilege	3580	Loader 3.0.exe
Token: SeIncreaseQuotaPrivilege	3580	Loader 3.0.exe
Token: 33	3580	Loader 3.0.exe
Token: SeManageVolumePrivilege	3580	Loader 3.0.exe
Token: SeProfSingleProcessPrivilege	3580	Loader 3.0.exe
Token: SeRestorePrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSystemProfilePrivilege	3580	Loader 3.0.exe
Token: SeTakeOwnershipPrivilege	3580	Loader 3.0.exe
Token: SeShutdownPrivilege	3580	Loader 3.0.exe
Token: SeDebugPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeBackupPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe
Token: SeSecurityPrivilege	3580	Loader 3.0.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Loader 3.0.exeprintfilterpipelinesvc.exe95C9.tmp

description	pid	Process	procid_target
PID 3580 wrote to memory of 3628	3580	Loader 3.0.exe	78
PID 3580 wrote to memory of 3628	3580	Loader 3.0.exe	78
PID 4300 wrote to memory of 4296	4300	printfilterpipelinesvc.exe	80
PID 4300 wrote to memory of 4296	4300	printfilterpipelinesvc.exe	80
PID 3580 wrote to memory of 2404	3580	Loader 3.0.exe	81
PID 3580 wrote to memory of 2404	3580	Loader 3.0.exe	81
PID 3580 wrote to memory of 2404	3580	Loader 3.0.exe	81
PID 3580 wrote to memory of 2404	3580	Loader 3.0.exe	81
PID 2404 wrote to memory of 2468	2404	95C9.tmp	82
PID 2404 wrote to memory of 2468	2404	95C9.tmp	82
PID 2404 wrote to memory of 2468	2404	95C9.tmp	82

C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3628
- C:\ProgramData\95C9.tmp
  "C:\ProgramData\95C9.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\95C9.tmp >> NUL
    3⤵
    PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:4820

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{83017BCF-2D7C-4B44-9F9C-BCE9C7B1A2A0}.xps" 133655044006510000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3699363923-1875576828-3287151903-1000\MMMMMMMMMMM

Filesize
129B

MD5
1bc333858f0a2ffa4175c958e3de4b2c

SHA1
f1238bcd3cdaa706ce1bddc47dd9bae31b42125d

SHA256
70ec8f41c58bea27a832828d80d5da0b0afa34133ce466318bb002d72d8035d8

SHA512
7636984f56f75234a685a1d08a902e8db2b2d865a23c7197576243f06c031a1e53b1bd1e0085367846f96e1304ad158f7402481e47dfc6042ed7cee3f651f582

Download Submit
C:\Jw5Jgl9mC.README.txt

Filesize
1KB

MD5
8b28296a2c168d86adbafc888d0f95f0

SHA1
49d6b109bf24f39c2c0f62c0796b8693c0bd99e5

SHA256
7b3daacf846fe79840647e67d9c5226a7fda47d5b32c24d874654e8ff78ffcc9

SHA512
b0f0e0a6f2962250c3b9f87637854756e7a0fcde561aae14654d0dcd1e1013876442c0354e41c5bc8e3ef57f170ac2073874ff22fdc5656f62f930350f9df6ac

Download Submit
C:\ProgramData\95C9.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
147KB

MD5
8616dac1afd33e6f3ef318104a3ce512

SHA1
9d56ed27ca2d01f996fb0a4f8ffc6dd2c973931d

SHA256
a4b09ce88210454cbfa0f1eb8d29499396604dbd2223a597a7d5c571503869c3

SHA512
6c7fbfc709034f74c9d9069ae7274557dc0d7a72917a9c54cb66d47c03344cbd7cc9d4066edabe060c2ee861f5de777fe3bbdae8f417855b4c510e5335e30a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{17B2376D-2784-4772-B3DD-887C37104175}

Filesize
4KB

MD5
fd86950a5885c5ce5eb2fe119397ee81

SHA1
5bd2a55790944c918e18abfe0d2ace1effd140fb

SHA256
859c425e9ff71f996823329b9db8b56ece4d2e9d713cb56ff07c5a0422eed1e5

SHA512
876d5bb0cb0b7f2805116edaeb869a73b9ef3ef17260e8f0d2a9e602e52c56e967fac69f541a387a51ef1d9ef26fff2ff02c608bff73beb738bd9961b94d5376

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
fb6da6484214760c97424b8c6ecea365

SHA1
e4d7f0c1fcf35fdaa0e9e85d1d9321fed52be6b6

SHA256
38ad84d787fbfe9be9dc771230148655b9f4ffe82c5e63fdea07b0a53c490224

SHA512
0342f235e1e1e260e0f344c502b8161b6fae08adc0ef1c5e7cd27a97ad4ef662fad22ea288b58d79e2b586fbe9cf76f7d963e516b09c8f0174edb7c887fcfdce

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3699363923-1875576828-3287151903-1000\DDDDDDDDDDD

Filesize
129B

MD5
8152cbe230625961a79d874281d91f15

SHA1
bbffd6f9c5343223eae0734309e4712fd1f910b9

SHA256
35eb19c91ceb2c52876377a45d70dd2545b7a985549fc9d3949d24efa2ce703d

SHA512
e62e1b2e80dd53a89ddba75c007062e54ea58d32c1da1b64dac0b1e5bb5ab1ac136df8e5457d3c403dbeae2e3133af2799b00cbfa9a9be44724afd86e8016889

Download Submit
memory/3580-2-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3580-1-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3580-0-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/4296-2924-0x00007FF85F470000-0x00007FF85F480000-memory.dmp

Filesize
64KB

Download
memory/4296-2917-0x00007FF85F470000-0x00007FF85F480000-memory.dmp

Filesize
64KB

Download
memory/4296-2918-0x00007FF85F470000-0x00007FF85F480000-memory.dmp

Filesize
64KB

Download
memory/4296-2927-0x00007FF85F470000-0x00007FF85F480000-memory.dmp

Filesize
64KB

Download
memory/4296-2951-0x00007FF85C4B0000-0x00007FF85C4C0000-memory.dmp

Filesize
64KB

Download
memory/4296-2952-0x00007FF85C4B0000-0x00007FF85C4C0000-memory.dmp

Filesize
64KB

Download
memory/4820-2901-0x000002555F130000-0x000002555F131000-memory.dmp

Filesize
4KB

Download
memory/4820-2900-0x000002555F110000-0x000002555F111000-memory.dmp

Filesize
4KB

Download
memory/4820-2898-0x000002555EFD0000-0x000002555EFD1000-memory.dmp

Filesize
4KB

Download
memory/4820-2896-0x000002555AAF0000-0x000002555AAF1000-memory.dmp

Filesize
4KB

Download
memory/4820-2885-0x000002555A9A0000-0x000002555A9B0000-memory.dmp

Filesize
64KB

Download
memory/4820-2889-0x000002555A9E0000-0x000002555A9F0000-memory.dmp

Filesize
64KB

Download