infinitylock | d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d

Analysis

max time kernel
118s
max time network
148s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
Size

211KB
MD5

55b90acb757d550412fab9af5c91ebb2
SHA1

dddfbc92fa340e39c31f80bacc4c2bf9822e6d1e
SHA256

d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d
SHA512

390ce54be7afa798b7f46793ae6b824765ba335536c7e0c76ebeff0df67a82fa1e6e2cd411cb300975449792b99093a07e5da522acc7c670af3db07a68d89d19
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock discovery ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14997_.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mspub.exe.manifest.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ar.dll.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02435_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIPC.XML.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.IDX_DLL.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.ITS.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ms.dll.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EntityPickerIntl.dll.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297185.WMF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe

C:\Users\Admin\AppData\Local\Temp\d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe
"C:\Users\Admin\AppData\Local\Temp\d95346fbf8efff1632c5605245fea66478eb6296fcf3e9529eb67491f28efd5d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
352B

MD5
927f5f64551991d881590843b0613842

SHA1
820b791c8830e306217be1956f535859abc5e9fc

SHA256
26c686bebf25708a4dd09a0a82262961a7a8f7e46b70d2aded877b2f434990b1

SHA512
ee096b5f7d5ab39c7bac6e0a9134fd4ed33eed7ee45c50cb90a613d62d4b6b3f43fcb3148e98760d088d8c2d52789fa507ba5999897ddb8e84394a613074fb29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
224B

MD5
5d33916142e4ab423c287c93e2e22ac4

SHA1
efc6324fba173d2c6033480a1dec7814dd282a4c

SHA256
1966db05e2010254b1704c6be14adcb27ec307518bf6e1921cd791771a99562c

SHA512
81405b458a2b022e0b9551651a93a1f1922369a02d4d738edaf45af118ed9b0e1c6893103308ffca6f067545cd71978c73be07fea99dd23da3de8ede7a6a2df1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
128B

MD5
662fe0127ac3acae19cffa4f94fec8da

SHA1
1039dbabe5075708c21827ce4641ce39c1234c3f

SHA256
8bb30efb8fcd7339c55311a891a7847fb4c111cb36a4a45bde76b5e49f2c3fd8

SHA512
e2cdce17d8247174fc195997364b3dc8ac0786c40d0c117eacb901df0b4e633f414223c053171b6ce96042b0bfa9b21daffdc63be9ac4ca35921f3c8447b92d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
128B

MD5
d8a5868ddfc4fb68302eb1007e643386

SHA1
eb9b79f8d3401247ad2e4f04a63deb53e08af67f

SHA256
554cc167729706fa3b48679e09c09cf339e8cb000489853f5ac6490318632527

SHA512
742220e84c0a0f543da52d8d9e50f93bfdf480260043bf8391cd451f7fdcb09e3a8da9fed1d1018d1488a3718dc50db32abbfc267dceaeb94f9e159fb14d478e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
192B

MD5
2c7b14afd37f5528e4c21245cccfafd5

SHA1
28a925e506d2b233f30633f76d15e87303a2179f

SHA256
03cdf26be49ded9f0c84b189c864a1b6f1aa9eecc974f1b9be3ce828d3d4c516

SHA512
9cb6c71b02f6bc9ed13fb60bef0bd016fac1c3369a9d79880c622d5401bec472853e6522ce1703f488ef07a4422dd2f886ffa8bba33bd1dd5f028fc1588032a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
512B

MD5
0244fec77adb048f2d1f326b98126bbd

SHA1
700a3e1d5466e029bc6378882bc2425f68911aac

SHA256
fd4e1e48dbab39249d92bf4f4b62a4e6fde1229f389bad2be5e6c0584c5ad8f4

SHA512
51a53b92451a36a1903ac30a181d5302457b7540cdc2c9e89c99de052edfe411626c72aa0458b9003e3bf1abe7946a95ed13bd3955e2972e10dcf97c0d3384fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
1KB

MD5
ad877bbde0bd7ff75b71dfbd8c74b0d6

SHA1
c6acb33a2aaf05e973c883b1d76391c0328456ad

SHA256
857a979c6cd68609adda5c9a60688156dd5e874c215f88512c6caaaaa1d433ab

SHA512
d31560f2a74649e23925419c0b9fd05dd16cd1c49d5bcd626ccb9755b483fef71c4c1cc7d0ff548d86ac092addb6c75b9bb6d01e9ba44f6363aa54e45f109ebb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.5C8A7C57B2F48D04CE32238B229BC2C3D5C0F220CBE808577B105C8ED6A89EBA

Filesize
816B

MD5
aeaff65ad0e56245400690372beac595

SHA1
8d82febb55f9734a1db8461682032baf72abe4c8

SHA256
8e202167d223cc7006a2deb670566fd3d75e542a72828d80a767f4cbef939fd1

SHA512
74fc17de9aec21040450d1a4a674f2f6b972ff73e855836162c67d1f96e9637f0a335d00486d0accb6a00654773ce66072879e91b07ef1caec6d8f6881299511

Download Submit
memory/2752-3076-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-2999-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/2752-2-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-1-0x0000000000F70000-0x0000000000FAC000-memory.dmp

Filesize
240KB

Download
memory/2752-0-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/2752-5352-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-5353-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download