d2d690bcb348fcc6afeaba3fb88ebb1c29df30ebec7aaf85fd91ccf4582693a3

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15-07-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader 3.0.exe
Size

147KB
MD5

ff4cd364323fc2048c35783a38070aef
SHA1

4736172dd07a3a196343b94dd56b4e4edc0f2bce
SHA256

6dd7522accb6773bade16720b53ca577574defae5b1c7caf4b7fc6826dfed7e7
SHA512

c72b07b78ccbcfad14fa9f7bc3e8a086c29969b4f7f30dbe57a1a173cd82d61a20bf5ead0bc7b627d5d7f7f0def71710e2ce09590be7a886ad6c9414981eb961
SSDEEP

1536:FzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDEtDyI4njdbJBGCkmsQwvB6jr4j:GqJogYkcSNm9V7Dk4F91qYUrnbT

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (569) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

C6AC.tmp

pid	Process
4136	C6AC.tmp

Executes dropped EXE 1 IoCs

Processes:

C6AC.tmp

pid	Process
4136	C6AC.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1376880307-1734125928-2892936080-1000\desktop.ini	Loader 3.0.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1376880307-1734125928-2892936080-1000\desktop.ini	Loader 3.0.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPg0j0s2ef0ei395rv7o04wqtbd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPjykryqscfb03owvzm0kjp9okb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPpsojbw03kl7bccyumf6wk2g2c.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Loader 3.0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C6AC.tmp

pid	Process
4136	C6AC.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Loader 3.0.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop	Loader 3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\WallpaperStyle = "10"	Loader 3.0.exe

Modifies registry class 5 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC	Loader 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC\ = "Jw5Jgl9mC"	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC	Loader 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon\ = "C:\\ProgramData\\Jw5Jgl9mC.ico"	Loader 3.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Loader 3.0.exe

pid	Process
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe
4344	Loader 3.0.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

C6AC.tmp

pid	Process
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp
4136	C6AC.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader 3.0.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeDebugPrivilege	4344	Loader 3.0.exe
Token: 36	4344	Loader 3.0.exe
Token: SeImpersonatePrivilege	4344	Loader 3.0.exe
Token: SeIncBasePriorityPrivilege	4344	Loader 3.0.exe
Token: SeIncreaseQuotaPrivilege	4344	Loader 3.0.exe
Token: 33	4344	Loader 3.0.exe
Token: SeManageVolumePrivilege	4344	Loader 3.0.exe
Token: SeProfSingleProcessPrivilege	4344	Loader 3.0.exe
Token: SeRestorePrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSystemProfilePrivilege	4344	Loader 3.0.exe
Token: SeTakeOwnershipPrivilege	4344	Loader 3.0.exe
Token: SeShutdownPrivilege	4344	Loader 3.0.exe
Token: SeDebugPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeBackupPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe
Token: SeSecurityPrivilege	4344	Loader 3.0.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Loader 3.0.exeprintfilterpipelinesvc.exeC6AC.tmp

description	pid	Process	procid_target
PID 4344 wrote to memory of 868	4344	Loader 3.0.exe	84
PID 4344 wrote to memory of 868	4344	Loader 3.0.exe	84
PID 4828 wrote to memory of 5108	4828	printfilterpipelinesvc.exe	87
PID 4828 wrote to memory of 5108	4828	printfilterpipelinesvc.exe	87
PID 4344 wrote to memory of 4136	4344	Loader 3.0.exe	88
PID 4344 wrote to memory of 4136	4344	Loader 3.0.exe	88
PID 4344 wrote to memory of 4136	4344	Loader 3.0.exe	88
PID 4344 wrote to memory of 4136	4344	Loader 3.0.exe	88
PID 4136 wrote to memory of 3472	4136	C6AC.tmp	89
PID 4136 wrote to memory of 3472	4136	C6AC.tmp	89
PID 4136 wrote to memory of 3472	4136	C6AC.tmp	89

C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:868
- C:\ProgramData\C6AC.tmp
  "C:\ProgramData\C6AC.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C6AC.tmp >> NUL
    3⤵
    PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4480

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{63853560-ADB9-455E-A17D-84F54F74F743}.xps" 133655044030130000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1376880307-1734125928-2892936080-1000\SSSSSSSSSSS

Filesize
129B

MD5
089584bbb23f9af37f0f2ab708cf6c9e

SHA1
6c6662f2c96ce4bcac6572760a0812fc6afec98a

SHA256
04cb77bd25b3b183a5407c6c30b1e019d661a22e878099659b435e53498e0b19

SHA512
b838c5b6356017b0a31cad2e7631762ce9fa6c111adf1370f19d41d01d75ee6bb3c574c9fd0f91875d560f0c258bf2200d8835cd6bd1d36d42fda651b77fb2b4

Download Submit
C:\Jw5Jgl9mC.README.txt

Filesize
1KB

MD5
8b28296a2c168d86adbafc888d0f95f0

SHA1
49d6b109bf24f39c2c0f62c0796b8693c0bd99e5

SHA256
7b3daacf846fe79840647e67d9c5226a7fda47d5b32c24d874654e8ff78ffcc9

SHA512
b0f0e0a6f2962250c3b9f87637854756e7a0fcde561aae14654d0dcd1e1013876442c0354e41c5bc8e3ef57f170ac2073874ff22fdc5656f62f930350f9df6ac

Download Submit
C:\ProgramData\C6AC.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
147KB

MD5
0634e286bf0b033878a0c25ce7d8de45

SHA1
24bbc18188e50ab5e75e26b13b2e75b53362cff8

SHA256
721715b71157d60979ea6e40195bd319c7e04958984081707c85d5a7bc51089d

SHA512
ce2df89dc835df8721594ae89e6157aaf02df585c75679f25b9b0b879212a349861c0753221f7e769aed6e45cd266587d39a7bb4c0776a6238bda7bcec720b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C49CB14E-912B-4233-8B24-974F5381120D}

Filesize
4KB

MD5
ac4b12249268a8359e901068f5b11488

SHA1
ea0435fce6db5d4fbf71911a59f80cbad73402e0

SHA256
7684ee50002bdfa03b139eda9de6210f769ec18cd27faa5cdbbc6f0d207a3efb

SHA512
9afde99d61bdd08540e626d167bffd13186b6d04b0f409174723a8953619ab41a21eb0822b11c5c5d2b635603d1afaad47513cc150b9a3752c4317954b64f539

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
a190da1877d6beebdb40823398bdecde

SHA1
1b69439f87da4eebdd4e22e3a2244175a9dab966

SHA256
6e3e1ebe6adc0c3e34ecb4b7e2a85a8d6593cd40d75f657695241805d6175fb9

SHA512
9f680ba20709f947c48a9638b9a8cef82e45df440a7dd3cf20ab69e8b32f1bb1c2b2c6b188250248fe288e5ab34884d66c5fc7616ec00ecbe9aa86bdf983de63

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1376880307-1734125928-2892936080-1000\DDDDDDDDDDD

Filesize
129B

MD5
18069b945149455e99dc4cd485751f05

SHA1
fc3de59848028619512dfa01761218a9fad4a0d5

SHA256
bf60418aa99124f128409b35d9954fcc3fbfaffba42fcf09bb4e4a8ebfb811eb

SHA512
e3c2449ade9577a451944a7f5d1649453269ae7b2e083d9b5f5da00e1ccbe4b60f8221c01bb888f518a31c4deaefe259c476227451f6b7c544e538d671a697c7

Download Submit
memory/4344-2-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4344-0-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/4344-1-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/5108-2761-0x00007FFC7BF70000-0x00007FFC7BF80000-memory.dmp

Filesize
64KB

Download
memory/5108-2760-0x00007FFC7BF70000-0x00007FFC7BF80000-memory.dmp

Filesize
64KB

Download
memory/5108-2762-0x00007FFC7BF70000-0x00007FFC7BF80000-memory.dmp

Filesize
64KB

Download
memory/5108-2763-0x00007FFC7BF70000-0x00007FFC7BF80000-memory.dmp

Filesize
64KB

Download
memory/5108-2759-0x00007FFC7BF70000-0x00007FFC7BF80000-memory.dmp

Filesize
64KB

Download
memory/5108-2796-0x00007FFC79C30000-0x00007FFC79C40000-memory.dmp

Filesize
64KB

Download
memory/5108-2797-0x00007FFC79C30000-0x00007FFC79C40000-memory.dmp

Filesize
64KB

Download