Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/07/2024, 17:28
Behavioral task
behavioral1
Sample
3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe
Resource
win11-20240709-en
windows11-21h2-x64
20 signatures
150 seconds
General
-
Target
3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe
-
Size
147KB
-
MD5
11c051782c327c662507801124f0b95b
-
SHA1
5dd92a1ab1cfc5b73b5dcdb3edd6ea6d498339df
-
SHA256
3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac
-
SHA512
239f6eba567c59cf956e4f6c8ffe6588bb2b16ede03e939f79db69ae23631881285475f634780a40f94038035fb1329743c9b57c92a9690ec927f6d372d9ca2e
-
SSDEEP
1536:GzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDuc1UR7zBEDZhT+IhMjo9Uyz:9qJogYkcSNm9V7DJ1URfqVXmjo9T
Score
10/10
Malware Config
Extracted
Path
C:\d093fD6aI.README.txt
Ransom Note
~~~ LockBit 5.01 the world's fastest ransomware since 2019~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
BTC amount 0.01 = up to 12hr
BTC amount 0.02 = up to 24hr
BTC amount 0.1 = up 48 hr
BTC amount 0 , deleted all files from you PC, and post all infirmation to public.
where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d :not valid after 07/23/2024 10PM EST.
Time just 12 hr, after everythink will be removed
You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy.
You have 12 hours for the transfer,
24 hours for the amount of 0.02,
and of course, you can always wait 48 hours and pay 0.1.
After that, send a request with confirmation to TOX , faster way!
You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html.
Using Tox messenger, we will never know your real name, it means your privacy is guaranteed.
If you want to contact us, tox.
Tox ID LockBitSupp: B90F5C1EC3C13400F6D0B22B772C5FAB086F8C41A0C87B92A8B3C7F2ECBBCE191A455140273E
URLs
https://coinatmradar.com
https://www.moonpay.com/buy
https://tox.chat/download.html
Signatures
-
Renames multiple (601) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 3272 E938.tmp -
Executes dropped EXE 1 IoCs
pid Process 3272 E938.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-95457810-830748662-4054918673-1000\desktop.ini 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-95457810-830748662-4054918673-1000\desktop.ini 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPd73770j8x7m5g0pzfnukgjqid.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP99pva694b_mx8to06s0ha_2g.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPph30q4d39eq6r0lfbo5xqio4d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\d093fD6aI.bmp" 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Set value (str) \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\d093fD6aI.bmp" 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3272 E938.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E938.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Control Panel\Desktop 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Set value (str) \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Control Panel\Desktop\WallpaperStyle = "10" 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\d093fD6aI\DefaultIcon\ = "C:\\ProgramData\\d093fD6aI.ico" 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.d093fD6aI 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.d093fD6aI\ = "d093fD6aI" 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\d093fD6aI\DefaultIcon 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\d093fD6aI 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp 3272 E938.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeDebugPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: 36 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeImpersonatePrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeIncBasePriorityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeIncreaseQuotaPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: 33 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeManageVolumePrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeProfSingleProcessPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeRestorePrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSystemProfilePrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeTakeOwnershipPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeShutdownPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeDebugPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeBackupPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe Token: SeSecurityPrivilege 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE 1192 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3576 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 84 PID 2376 wrote to memory of 3576 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 84 PID 556 wrote to memory of 1192 556 printfilterpipelinesvc.exe 87 PID 556 wrote to memory of 1192 556 printfilterpipelinesvc.exe 87 PID 2376 wrote to memory of 3272 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 88 PID 2376 wrote to memory of 3272 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 88 PID 2376 wrote to memory of 3272 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 88 PID 2376 wrote to memory of 3272 2376 3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe 88 PID 3272 wrote to memory of 2096 3272 E938.tmp 89 PID 3272 wrote to memory of 2096 3272 E938.tmp 89 PID 3272 wrote to memory of 2096 3272 E938.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe"C:\Users\Admin\AppData\Local\Temp\3c13ae9a53b29849fd3bb75d3259a23658cd687441f8bdd610487007c51d2eac.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3576
-
-
C:\ProgramData\E938.tmp"C:\ProgramData\E938.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E938.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2580
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D3EE2619-E242-411F-844A-7D1AF022E348}.xps" 1336683413127000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5794a5ff405bee85766b5a38e5cd377a3
SHA17e1d90083d8bc982e4e37c93abada86bdee4c581
SHA256b2dd5a32743d49600e8526da5bebae914852d1d15f683fa14885a6e0ef877f20
SHA512bdd664b94fd1888182d3647ae6f8dba143ea27ba4028448484e369f8770ea1c7990f740dccf4177daa6fb4146e03ced04eadb3714a652f843e355f0db2afb2f3
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Filesize147KB
MD57345296a4a73e6d73cd48f5fda209520
SHA114d789fd9a28c8ac728b77c60c3fb04bd92c50eb
SHA256f65622e2bf5914166d4f7f6779b895ea77c4409dfaf11ac13c32537cb5336a9b
SHA5128cc315f4179e908778b9348d1be70456ae8c471e551a6c9ed78683ebbc58dfd5bf5693fc9065d42f2e5d5977c63c16ed6fa39fd17cadda8ba0a94b74d3b70051
-
Filesize
4KB
MD56cf2057845cc74e236d650cc49718b14
SHA116500e46e3d15e83895f4ee471c2835e1f17e9f3
SHA2563e281a497aa352f67526695fb4b1d7216a643d4a535358340c6484ba2f4006e4
SHA51283a8018110f6e5906f7d49251105f898cbbe169cce640203389c283bb64a3aa32f5007c5e46f43ae14bd4d34a45300290505eadfaf8977f711cde2e54b3be4dd
-
Filesize
4KB
MD5e706efc0dd2853b3b021848326e08be6
SHA1b1e7033985fc88d072c05b06d37e50a1926c0ac1
SHA2560d359c0f103ae72a30f1365e760b4e73e3c467bb945143f9dbd6838c1868b5bf
SHA51246abc1ee4652b1ad91601726782882e290a3e8aa04d829a8ecffce6987d9938065e549b3c5a080a35f20cdf908efc7ca7c86d1aac284663d561998e22bf1eb2c
-
Filesize
1KB
MD5c98594c43506b3f4802ebd608ba6be0f
SHA1d8e090434533229fbdcc104b6a43903bfdf8c081
SHA256804575f74fe5b2f28c181f3413b23a0355693ffd9a2c1e69546bb598ce67ebae
SHA5125e3767a0606dae51c49a41ddfde2dd90a17eb53c79212d46c556141bcc6c54bd1c06348a7077251ff75228a5e3604880cabb1309a68490736203e3c49f5c6cba
-
Filesize
129B
MD5575fa3a50cec9704f92cc510e6203894
SHA1df69df59ab13a918e664fc3c41071048bd2a036b
SHA256067a0f1d3f39ad9cb4c99204164c8a41dff7d6b2f9808b2f6f80ccc12596057e
SHA512fe64f175f2ec6863ecb2236e22e151c470266f214801c556ed8c8c21a9c8c0263e13c51819094ae1d86b073a65aa7783098ae852a30283bf4d98907b03ea8eac