Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
Resource
win10v2004-20241007-en
General
-
Target
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
-
Size
165KB
-
MD5
65c0c7c9fe6bc1d5296447aae6c6c14c
-
SHA1
67217e5c6859afb1b2c736625fcf8bee9ad158cc
-
SHA256
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412
-
SHA512
2453322a835c47aa10c1c7d3005319e75c01faf972efb03de9381f9dac870849917e96ca58cdd0e1f501b3d016dbda73a12af446971b545fe9fd164d739ce264
-
SSDEEP
3072:l7v9etA6pzarOLgSua/iw6kzgm0Ip1qHlBxpN/FaV0jZB6SbFW2CT75I8Buowhvw:ljm0IpqlBxpN/Fd5bFWLT7mM7w0F3+k1
Malware Config
Signatures
-
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\J: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\K: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\O: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\S: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\T: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\W: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\A: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\G: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\H: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\L: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\P: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\Q: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\R: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\V: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\E: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\M: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\N: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\U: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\X: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\I: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\Y: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\Z: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File opened (read-only) \??\F: 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File created C:\Windows\system32\spool\PRINTERS\00003.SPL 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe File created C:\Windows\system32\spool\PRINTERS\PP720a1xe0bb1811457cm9ocgn.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5204 ONENOTE.EXE 5204 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe Token: SeTakeOwnershipPrivilege 2368 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE 5204 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5924 wrote to memory of 5204 5924 printfilterpipelinesvc.exe 98 PID 5924 wrote to memory of 5204 5924 printfilterpipelinesvc.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe"C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5744
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2D6D0FA5-0C56-44C2-9C0B-50E5D2670DF7}.xps" 1337528233411100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a2216a7155bebb30e67f217f6fd232f5
SHA1c8f100b610a63f28921c686a8a4a6fd9aa2153e0
SHA256ef01b2342b49597ad0e326cad64ab471ec4460e09fe66a90e75bc30bf209cfc8
SHA51257f383a840d74bb98185022b21204eb9954b0cf98c9188146dfe902d658e95fc71467195359394cfd73486ccb2315c19930685e6ae046ecd452caeb854fed498
-
Filesize
4KB
MD5ddac2c2ef06598adcad51931d32c6444
SHA1ad0e3ab81184ed417d19e5b0b920b72530dd8e5e
SHA256af9f8ee2fd61d8ae56a0fb8e2cc862807b7e8d637e33cda11da3e19858a169ba
SHA512e014100b63f049e4b0f7fd36f88a1e368687e0520c312adf36b8c336649754516b90467aeb1ebe9c91b06a0230f93d263543f69b4f2aa78b4c0605634f6aa92d