22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Size

146KB
MD5

a7be144ff0b871ddd45e1e0bef06faa6
SHA1

811797d3e0ce7c5ed76ff656156a2c066f306032
SHA256

22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f
SHA512

caeec8ed5080f00fe1134b968c81f13660ac1a9312d1f151b676f2a0b3670b2c0440e00c8a5e398d91707be5989d34e547ff3d5b4facbba81705c41f52bb3367
SSDEEP

3072:46glyuxE4GsUPnliByocWep0AMmr7fTP+Gldf:46gDBGpvEByocWeRMa3P

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (594) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	B5E3.tmp

Deletes itself 1 IoCs

pid	Process
3156	B5E3.tmp

Executes dropped EXE 1 IoCs

pid	Process
3156	B5E3.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPn7tjp2q9t0bkfwm7z3pmb2pac.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPoi3_4wq9iil46dl29cqmkx02b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPqo4qbf6826h9d1f691xmb6cp.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\OC9oMrMV8.bmp"	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\OC9oMrMV8.bmp"	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
3156	B5E3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B5E3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "10"	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.OC9oMrMV8	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.OC9oMrMV8\ = "OC9oMrMV8"	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OC9oMrMV8\DefaultIcon	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OC9oMrMV8	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OC9oMrMV8\DefaultIcon\ = "C:\\ProgramData\\OC9oMrMV8.ico"	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp
3156	B5E3.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeDebugPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: 36	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeImpersonatePrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeIncBasePriorityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeIncreaseQuotaPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: 33	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeManageVolumePrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeProfSingleProcessPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeRestorePrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSystemProfilePrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeTakeOwnershipPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeShutdownPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeDebugPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeBackupPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
Token: SeSecurityPrivilege	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE
1092	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 1960	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	95
PID 4228 wrote to memory of 1960	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	95
PID 3448 wrote to memory of 1092	3448	printfilterpipelinesvc.exe	103
PID 3448 wrote to memory of 1092	3448	printfilterpipelinesvc.exe	103
PID 4228 wrote to memory of 3156	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	105
PID 4228 wrote to memory of 3156	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	105
PID 4228 wrote to memory of 3156	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	105
PID 4228 wrote to memory of 3156	4228	22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe	105
PID 3156 wrote to memory of 1004	3156	B5E3.tmp	106
PID 3156 wrote to memory of 1004	3156	B5E3.tmp	106
PID 3156 wrote to memory of 1004	3156	B5E3.tmp	106

C:\Users\Admin\AppData\Local\Temp\22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe
"C:\Users\Admin\AppData\Local\Temp\22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1960
- C:\ProgramData\B5E3.tmp
  "C:\ProgramData\B5E3.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B5E3.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4744

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7C246234-D8BA-42D1-A150-C5479251450C}.xps" 133743939156470000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\TTTTTTTTTTT

Filesize
129B

MD5
2287ef5d9dea430e1e670198c358ccdb

SHA1
6d75da4b6716668fce1e4935ae515e0004cb6224

SHA256
573ed4894c17d81c4c9af9640cccf9161ac521be4b8e8c5ddcdae404f3806c98

SHA512
dfd8b331719bc576e2720b21d40c8e23c52a9da8929479945bc1680bae27b770dcb8078ac87cf9be3f319b884451e1f42917dbf887f039c75d8ab503615a167f

Download Submit
C:\OC9oMrMV8.README.txt

Filesize
343B

MD5
a8864aa0987b12bc59008a02c3ddda88

SHA1
54327dba296f734aae7ba65faf0b3dd8cb73b714

SHA256
168c71031668b64e0ccf26e81353f6eacb3599edbaf62f7aa62c55b8075a5a8f

SHA512
5a94b41a4f74354978c32dbe18d505bda8db0a0195f1df1749f81478c0bc0e022b744972f0c491a33b595fc9b21c7b5b59252ec5451b14cf15cbb6c936954dd8

Download Submit
C:\ProgramData\B5E3.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
146KB

MD5
1ec4d55643ba4e8a8a5386294b3405ca

SHA1
991190a7f9dce4e58327cb053f2baebc30b3977a

SHA256
d43059f9af24264543a0708b26d5fd7648bbb1d1504105b68b599da1f9ef8408

SHA512
f48e022ecd3ed0d37cdf59451c1816e94ae96d29c0c1ba3361436f1c0821e53abca07a8f5d3b2392865e0ad72fe5402e4374e4d0a80e982674c63c015dd09989

Download Submit
C:\Users\Admin\AppData\Local\Temp\{257F0B7B-3B4B-458B-897A-36F90F919E08}

Filesize
4KB

MD5
a70cd1e4c4173f27ff2bcd9aada75118

SHA1
b6b495e0675f08e09b3d7e8bb85128e1b91c9276

SHA256
bedab1dda6d191a67dd05af1213571143730f6328c7635694b68ea8fa4ce5bd4

SHA512
46036cec5ff8083489294a3f2c0ecd24cd45966fa944ad6543cccbee96fe7fff64c71acaf64d53f99d21d847e3d59eab7db60658f174f8d4c9a05bc864b7073e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\DDDDDDDDDDD

Filesize
129B

MD5
393f234affebf4d3f64d48e86a053c82

SHA1
c16836a05d57edce0e3cae5fee5e07de31ec6398

SHA256
7bc06318e9b3e718ed5206a91be3332a1d1f61c5885c07b8287e8d03d65c2b19

SHA512
1ead356e32e04a48a9c50d4756f8db64f64e8a92106902aa5cc211819b488623689d1ca3808e3b92aee300040f16302ac8a93e655851de98b167b0e4151628a0

Download Submit
memory/1092-2790-0x00007FF9BC990000-0x00007FF9BC9A0000-memory.dmp

Filesize
64KB

Download
memory/1092-2787-0x00007FF9BC990000-0x00007FF9BC9A0000-memory.dmp

Filesize
64KB

Download
memory/1092-2789-0x00007FF9BC990000-0x00007FF9BC9A0000-memory.dmp

Filesize
64KB

Download
memory/1092-2788-0x00007FF9BC990000-0x00007FF9BC9A0000-memory.dmp

Filesize
64KB

Download
memory/1092-2791-0x00007FF9BC990000-0x00007FF9BC9A0000-memory.dmp

Filesize
64KB

Download
memory/1092-2824-0x00007FF9BA2D0000-0x00007FF9BA2E0000-memory.dmp

Filesize
64KB

Download
memory/1092-2825-0x00007FF9BA2D0000-0x00007FF9BA2E0000-memory.dmp

Filesize
64KB

Download
memory/4228-2774-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4228-2773-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4228-1-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4228-2775-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4228-2-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4228-0-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download