Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/08/2024, 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe
Resource
win11-20240802-en
windows11-21h2-x64
18 signatures
150 seconds
General
-
Target
05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe
-
Size
439KB
-
MD5
95d8ef6aaeae33dae91636b2bde473b8
-
SHA1
6e79574a1fd0af774f985b3fcf646039d30cc7e8
-
SHA256
05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767
-
SHA512
2982681c763db9dc3af710db4d8ba260d8c5591a37a9df13529a4e7a0a08cfd7fd6dbde5c6922b69baeeaf3222212a6697cf961304ec386e1dd5f5b022e13061
-
SSDEEP
6144:XsaeVjbUSAODc/mDHJKzBJvPKcQQfHAijx7TSig0yw6J:XsamHDDpuBhKX2jlGiyw6
Score
10/10
Malware Config
Extracted
Path
C:\HdbtqCuyh.README.txt
Ransom Note
[Your Files Have Been Encrypted]
Hello,
Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below:
Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss.
Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss.
Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY.
Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files.
Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost.
Do not attempt to contact us via any other means. We will not respond.
Your encrypted files are your responsibility.
Telegram Username: @BIBIL_0DAY
Signatures
-
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1456 CCC7.tmp -
Executes dropped EXE 1 IoCs
pid Process 1456 CCC7.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPflbuxun1qygvzjk39hu_znx5.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPxcwg0b4dcpqc5qj6d5_m175l.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPhl_sfi4s8dktu6los8_ihhpnd.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1456 CCC7.tmp -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3624 set thread context of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCC7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp 1456 CCC7.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeDebugPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: 36 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeImpersonatePrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeIncBasePriorityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeIncreaseQuotaPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: 33 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeManageVolumePrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeProfSingleProcessPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeRestorePrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSystemProfilePrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeTakeOwnershipPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeShutdownPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeDebugPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeBackupPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe Token: SeSecurityPrivilege 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE 3848 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 3624 wrote to memory of 1960 3624 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 78 PID 1960 wrote to memory of 3508 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 81 PID 1960 wrote to memory of 3508 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 81 PID 1960 wrote to memory of 1456 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 84 PID 1960 wrote to memory of 1456 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 84 PID 1960 wrote to memory of 1456 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 84 PID 1960 wrote to memory of 1456 1960 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe 84 PID 4688 wrote to memory of 3848 4688 printfilterpipelinesvc.exe 85 PID 4688 wrote to memory of 3848 4688 printfilterpipelinesvc.exe 85 PID 1456 wrote to memory of 4412 1456 CCC7.tmp 87 PID 1456 wrote to memory of 4412 1456 CCC7.tmp 87 PID 1456 wrote to memory of 4412 1456 CCC7.tmp 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe"C:\Users\Admin\AppData\Local\Temp\05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe"C:\Users\Admin\AppData\Local\Temp\05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767.exe"2⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
PID:3508
-
-
C:\ProgramData\CCC7.tmp"C:\ProgramData\CCC7.tmp"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CCC7.tmp >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:4412
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1664
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EA76D4E3-3EB5-43F2-A729-566397247FEB}.xps" 1336777528959300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD571b0f53a64f1d258983f8959a93da47f
SHA1df26b37be451a9da8246fbf900d4cc2bfd9a2c05
SHA256ea0814a1636ec7067c05d8ff2dd379b5538861b166a063e807cb35dc1c0d9c67
SHA512432e573a507a00a9da8cb793b7bcc9a1ab4ea8ba6b518d8d78bd654dee608eb7116abbe363b6c967ddc88e7734a2ea9d7445996e27c871016491f576fd6b3de1
-
Filesize
980B
MD5751940dccf55d21d7dcb7b8e614154d9
SHA15ef19237b4aaede4e95992356b2ec1481c1d8253
SHA256875eafed5ef1785ec9cbd071d039aea59a1cfee0b62a0105d9b57118860ceac5
SHA512afcfb8806c17fcdf1e1160a92719a79617ce4c4f6339c412bfaa3cfade6d290e2ecc936bec9f30b631ecef304744caa2e2a1a3f89e4e4e0f705fe6882e3236ce
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
4KB
MD580387eda8ba3cb9b39b424917f9c1f95
SHA1863c35c3b39de38ef0bd0a8d2c0714cb43cdd1fa
SHA25670df421b632475e3adf16a3dd4f7db303bd4ef27611937209322386b81b6b9a4
SHA5129a6c5c3f411e718bd67a5209f673a68f7a323cabf46d1c3a8676f18acb9fe851648eea063880a9dc37ffb3b9c570898ad8260e8f70ef67190bb46f3a7f78bd6e
-
Filesize
129B
MD5a724d7f454ca1fd9a923b250d9024ce7
SHA164c6907eb1f3761dc89283dae1664b33665bb4d6
SHA256d21cc61e870d1a9316f04819e0f545203c4bf17087abee9c6855d992df710072
SHA5124760a1fd617ab9ba895bfda300709826d8291de2e1dcc4859862051b76bf7aac37f2aaa0b7b2d93c8d51d0ad10eed5fef8d4b3009cad686dbe7775462b34ea0b