Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 02:09
Behavioral task
behavioral1
Sample
artifact.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
artifact.exe
Resource
win10v2004-20240802-en
General
-
Target
artifact.exe
-
Size
146KB
-
MD5
b49f2ded048a1c07e09e731d84c7bbb8
-
SHA1
826176b2a3f8258b944dacf1f17a4495b73d104a
-
SHA256
4178821f84d63a57ba7858c0b1e6adfa9d206943c06ac70b1a497d9269388db3
-
SHA512
fbcde9c4334756d305715e1ec5f6216515ffd25ab0b861945807d0605b1d84339933ddd24ddb45f77f5390e9915e7b237cbcef45ad2f883a98b25747d0cca774
-
SSDEEP
3072:n6glyuxE4GsUPnliByocWep2ntZdy0OS55Ei:n6gDBGpvEByocWeordyXS55Ei
Malware Config
Signatures
-
Renames multiple (636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation E909.tmp -
Deletes itself 1 IoCs
pid Process 860 E909.tmp -
Executes dropped EXE 1 IoCs
pid Process 860 E909.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini artifact.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini artifact.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP35tejruduz3unsqerxyi3nb1b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPc08dshcia0wlv03dl0w84ytbd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP3n7x626aau0svi_t7w8saobae.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5OaQNrui8.bmp" artifact.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5OaQNrui8.bmp" artifact.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 860 E909.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language artifact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E909.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop artifact.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallpaperStyle = "10" artifact.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5OaQNrui8\ = "5OaQNrui8" artifact.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5OaQNrui8\DefaultIcon artifact.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5OaQNrui8 artifact.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5OaQNrui8\DefaultIcon\ = "C:\\ProgramData\\5OaQNrui8.ico" artifact.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5OaQNrui8 artifact.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe 2360 artifact.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp 860 E909.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeDebugPrivilege 2360 artifact.exe Token: 36 2360 artifact.exe Token: SeImpersonatePrivilege 2360 artifact.exe Token: SeIncBasePriorityPrivilege 2360 artifact.exe Token: SeIncreaseQuotaPrivilege 2360 artifact.exe Token: 33 2360 artifact.exe Token: SeManageVolumePrivilege 2360 artifact.exe Token: SeProfSingleProcessPrivilege 2360 artifact.exe Token: SeRestorePrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSystemProfilePrivilege 2360 artifact.exe Token: SeTakeOwnershipPrivilege 2360 artifact.exe Token: SeShutdownPrivilege 2360 artifact.exe Token: SeDebugPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeBackupPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe Token: SeSecurityPrivilege 2360 artifact.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE 4160 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2360 wrote to memory of 376 2360 artifact.exe 87 PID 2360 wrote to memory of 376 2360 artifact.exe 87 PID 4496 wrote to memory of 4160 4496 printfilterpipelinesvc.exe 93 PID 4496 wrote to memory of 4160 4496 printfilterpipelinesvc.exe 93 PID 2360 wrote to memory of 860 2360 artifact.exe 94 PID 2360 wrote to memory of 860 2360 artifact.exe 94 PID 2360 wrote to memory of 860 2360 artifact.exe 94 PID 2360 wrote to memory of 860 2360 artifact.exe 94 PID 860 wrote to memory of 2764 860 E909.tmp 95 PID 860 wrote to memory of 2764 860 E909.tmp 95 PID 860 wrote to memory of 2764 860 E909.tmp 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\artifact.exe"C:\Users\Admin\AppData\Local\Temp\artifact.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:376
-
-
C:\ProgramData\E909.tmp"C:\ProgramData\E909.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E909.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4352
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BA666881-865D-453C-861E-18BF8AAA756B}.xps" 1337101260747800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5232f3fe89c8fb223aa70f7aada475f8e
SHA10ff0e4f17e3825bfc2b53944955c58fb0a9d41b8
SHA25615734f293208338c038c84943768ff238d3c700396e7ebaa7138266dda277afb
SHA512162a1337e692839ba1a2eca541c4308015f0d3be789c6a286b11374a536dea115ca57f8dffee62c1b3e22c7b9e0b05f9a6fb203c8b6a21828774cc7de02c7b21
-
Filesize
343B
MD572b1ffaeb7de456483f491ecceadb088
SHA1ee1953abc295245ab01f35a4a823883826bf2b41
SHA256eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7
SHA512c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5aaffa0a49c97a64e042fa7071f0125ec
SHA1fc8ce5ebdc74f8093788c37760e8772f376ff0c5
SHA256778849d22caeea428c301b6850a86c38657bd4f17696159fd8d28b383b114fd2
SHA51225605aae845ea5343bc1dfc0a190fefac67b49263da32a1c25d7a6924f054a896c0b5867e2b4307aa58b923bf3127f252d25898d85b72fd855416eebca4a9be6
-
Filesize
4KB
MD56a465aa6263799d20fa7a8c4bc7e3f7a
SHA1ad98ba37f13a9072b2574a881f1d95f905fc3a54
SHA256dc749855f8edfddf93aa320364cdc420aaa94e4b95bfde9818ff4f756b5c89e8
SHA512da6c92de2f2a95d907a0787c9c6987787a14925c03e5806edd04641a6e1721f23a9edf7f85ad080e8fa1b8b477aac6c6cf25252b02b996f6e0ab061cf2145f33
-
Filesize
129B
MD520f2c834343f3934df17325457a25e79
SHA1d79bfc3425209021fac5ec6c13f50777c40f482a
SHA2563bc5ec77d6a12d5a737775ad8ff499f181323f6389c2a8ff2aecd468a538e0d2
SHA5123beb88f6123bfd8bd8160ab10b59dbfcdc26d1b4914bbad42b190feca78dc594e8adc36d03e63ac1f07671ce03a80bd0b315b471928dd8bc11adc244c39c9e4d