Overview
overview
10Static
static
101/0178b79b...bd.exe
windows11-21h2-x64
101/0280cde4...60.exe
windows11-21h2-x64
101/08b76206...65.exe
windows11-21h2-x64
101/0e4fc438...91.exe
windows11-21h2-x64
101/0fb86a8b...05.exe
windows11-21h2-x64
101/25898c73...8f.exe
windows11-21h2-x64
101/2c2e9491...3c.exe
windows11-21h2-x64
101/2ef0f582...2e.exe
windows11-21h2-x64
101/39884fc0...82.exe
windows11-21h2-x64
101/3a72ecec...8a.exe
windows11-21h2-x64
101/3bfcb4f7...71.exe
windows11-21h2-x64
101/4103411f...f5.exe
windows11-21h2-x64
101/4e0fdb84...95.exe
windows11-21h2-x64
31/5297372f...33.exe
windows11-21h2-x64
51/68292f38...e4.exe
windows11-21h2-x64
101/6da4696b...e5.exe
windows11-21h2-x64
71/7021c9cb...78.exe
windows11-21h2-x64
101/752f5cc5...60.exe
windows11-21h2-x64
101/7c7cded8...0c.exe
windows11-21h2-x64
101/97d29ffc...84.exe
windows11-21h2-x64
71/a306cc84...03.exe
windows11-21h2-x64
31/ae1a168f...74.exe
windows11-21h2-x64
71/b13f2364...d6.exe
windows11-21h2-x64
81/b2a1d168...9d.bat
windows11-21h2-x64
81/bb29aeb6...bd.exe
windows11-21h2-x64
81/c8e5a24a...f5.bat
windows11-21h2-x64
81/c9736cdc...97.exe
windows11-21h2-x64
81/d58780d1...a0.exe
windows11-21h2-x64
101/de19e016...d0.exe
windows11-21h2-x64
31/e886016e...51.exe
windows11-21h2-x64
101/f0f496ec...f4.bat
windows11-21h2-x64
81/f28599b0...23.exe
windows11-21h2-x64
10Resubmissions
11-12-2024 15:32
241211-sy44nssrdm 1009-08-2024 21:57
240809-1t1vfs1cpm 1006-08-2024 13:01
240806-p9f97szdlm 1006-08-2024 12:52
240806-p3672stdkg 1006-08-2024 12:29
240806-ppa8fsygqr 1006-08-2024 12:26
240806-pmc92ashlh 10Analysis
-
max time kernel
47s -
max time network
41s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-08-2024 12:52
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
1/7021c9cba6c224272f01d04450c6c31c93857a21feacfa4295a878a4d7b04378.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
1/752f5cc5a7b0f986286d09e8288c0958bc1b798477ca0d09dc2658c7ab109060.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
1/7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
1/97d29ffc3556069c807b5c0ae2e2b109ae329feafc912d64f8b7f437bea47d84.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
1/a306cc84c907d6d57af300d1181128b24ca03e90c38ca7df7e84d35e80a63e03.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
1/ae1a168ff481173d18034d14a767c0801458e95cc3016dc8d82212d0c083a474.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
1/b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
1/b2a1d168dc4234e687d0969b6a1901ac7e69c0d4bb72a1a4c76ba67fa6a14f9d.bat
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
1/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
1/c8e5a24a6d2fa68d7976457a19576b381e6211202500af5280b0f3b256446bf5.bat
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
1/c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
1/de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
1/e886016e48bf0e3cd100d627678f345743509fd5f57f3c9b182f2833352bd451.exe
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
1/f0f496eccc61594c53ded581b6683a77072f607ab018ec0a770a0aa7c7f45ff4.bat
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
1/f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe
Resource
win11-20240802-en
windows11-21h2-x64
General
-
Target
1/f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe
-
Size
146KB
-
MD5
314275168bf7958219662a242dbfe8a7
-
SHA1
d629032d9d8f491d133ee26a230c393335d7ad74
-
SHA256
f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
-
SHA512
b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA
Malware Config
Extracted
C:\7V7uPExzv.README.txt
http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/
http://group.goocasino.org
https://nullbulge.com
Signatures
-
Renames multiple (569) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 896 C94C.tmp -
Executes dropped EXE 1 IoCs
pid Process 896 C94C.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-661032028-162657920-1226909816-1000\desktop.ini f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-661032028-162657920-1226909816-1000\desktop.ini f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPqau31p09aio_9u1sqepc_r9ud.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP039s093rrh91iye01yo_j0icc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPwjqdwi0sdoy5bl8f1a1j7gb2b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp" f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp" f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 896 C94C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C94C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\WallpaperStyle = "10" f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv" f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico" f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp 896 C94C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeDebugPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: 36 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeImpersonatePrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeIncBasePriorityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeIncreaseQuotaPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: 33 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeManageVolumePrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeProfSingleProcessPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeRestorePrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSystemProfilePrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeTakeOwnershipPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeShutdownPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeDebugPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeBackupPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe Token: SeSecurityPrivilege 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE 4808 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3856 wrote to memory of 4896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 86 PID 3856 wrote to memory of 4896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 86 PID 3348 wrote to memory of 4808 3348 printfilterpipelinesvc.exe 92 PID 3348 wrote to memory of 4808 3348 printfilterpipelinesvc.exe 92 PID 3856 wrote to memory of 896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 93 PID 3856 wrote to memory of 896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 93 PID 3856 wrote to memory of 896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 93 PID 3856 wrote to memory of 896 3856 f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe 93 PID 896 wrote to memory of 4100 896 C94C.tmp 94 PID 896 wrote to memory of 4100 896 C94C.tmp 94 PID 896 wrote to memory of 4100 896 C94C.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe"C:\Users\Admin\AppData\Local\Temp\1\f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4896
-
-
C:\ProgramData\C94C.tmp"C:\ProgramData\C94C.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C94C.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4100
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4728
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{80C1041D-7BFD-4DB9-B3BB-61996D7DF24C}.xps" 1336742237431300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b39854a4b72eac00fd98d0f8211f2ad8
SHA1574a44aa92a4c86ddd87938b837686f28556ad64
SHA25689872fc746674b58c66261132b692238f779d4cfe2cd7f33f2d2dfa540524f7c
SHA512a00f53c1e37be679278f1a4ea16d138e61f958596a365f7df6ffc44adcf1cf54dc896a07223b66c8526659d77fae30068cc01f2109ed1364bfb6b54c4232108f
-
Filesize
1KB
MD587355a342ee82d86bd1909e52667c6b7
SHA1e55d4e79a09416e7b90d19b224e238fc901d5728
SHA256864b6859d9eb8ced3746b5074cf394626af91276a96d3d82fed33a7f43f0d85b
SHA512af526eb01c7dc651c2509a8293872c0603c2ecc0ee21628d3b26d5c8b0758652f378d50c58f55efdc030a78b62f35d95858302a0a4cd03f00eb53fc51fb9be24
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\1\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD5fcb7fd440097e97b420addfefeb2cde3
SHA18b5293df18cbc24be6b1dff8d1907c98c5a6a3ac
SHA2562a3cffe5c2af57aab83ead3d248385fd9cf351a7baf24da5a5fbfab4c3ac62ae
SHA512fb4b83629206047e4280abdeb795d510153dace2f8b5a9f2cac89be4fa335061f07134ec6bd922539165768095d0b8f4420168caca9d7d1d5d419f57c7c5c50e
-
Filesize
4KB
MD5f5b2b7437591066f49e69f56a6743805
SHA1afac42728a30bb8f037ee2b561f5e5bd20e93cd0
SHA25643777fe595243b06fcf6b762c3249066acf0053b918b98b054d098ab94d2d6ff
SHA512e577b4c0d12b2c07dc04b97e9de64c2c5267743a643c4d345b11f1b80b14a71eb6b9144bfdc65cb836a573d65ff5448d3d33789fdd5670d78c2946b1bfde0600
-
Filesize
129B
MD50d062348e10bf563cf6a660f612791db
SHA11ec58a92113feaeedabe9399034671d74d3225be
SHA256036651b43dfc7e5a14e7fbc300cd0cab331108b135d8ece449c29e4ce3027cd1
SHA51233c35200902e49c1a0dc06abd9c8efcfa97bb297a1a78191bd2b0e0f52a476403ced4dbabe647e1c7c6899391f307ad36c6873d1db6e8d5d2352501423cf3c47