Analysis Overview
SHA256
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412
Threat Level: Likely malicious
The file 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (313) files with added filename extension
Renames multiple (384) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 12:12
Reported
2024-11-05 12:14
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Renames multiple (384) files with added filename extension
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
"C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe"
Network
Files
F:\README.txt
| MD5 | a2216a7155bebb30e67f217f6fd232f5 |
| SHA1 | c8f100b610a63f28921c686a8a4a6fd9aa2153e0 |
| SHA256 | ef01b2342b49597ad0e326cad64ab471ec4460e09fe66a90e75bc30bf209cfc8 |
| SHA512 | 57f383a840d74bb98185022b21204eb9954b0cf98c9188146dfe902d658e95fc71467195359394cfd73486ccb2315c19930685e6ae046ecd452caeb854fed498 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 12:12
Reported
2024-11-05 12:14
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Renames multiple (313) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\00003.SPL | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP720a1xe0bb1811457cm9ocgn.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5924 wrote to memory of 5204 | N/A | C:\Windows\system32\printfilterpipelinesvc.exe | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
| PID 5924 wrote to memory of 5204 | N/A | C:\Windows\system32\printfilterpipelinesvc.exe | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
"C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2D6D0FA5-0C56-44C2-9C0B-50E5D2670DF7}.xps" 133752823341110000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\ProgramData\Adobe\Setup\README.txt
| MD5 | a2216a7155bebb30e67f217f6fd232f5 |
| SHA1 | c8f100b610a63f28921c686a8a4a6fd9aa2153e0 |
| SHA256 | ef01b2342b49597ad0e326cad64ab471ec4460e09fe66a90e75bc30bf209cfc8 |
| SHA512 | 57f383a840d74bb98185022b21204eb9954b0cf98c9188146dfe902d658e95fc71467195359394cfd73486ccb2315c19930685e6ae046ecd452caeb854fed498 |
memory/5204-908-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp
memory/5204-907-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp
memory/5204-906-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp
memory/5204-905-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp
memory/5204-904-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp
memory/5204-909-0x00007FFB89420000-0x00007FFB89430000-memory.dmp
memory/5204-910-0x00007FFB89420000-0x00007FFB89430000-memory.dmp
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | ddac2c2ef06598adcad51931d32c6444 |
| SHA1 | ad0e3ab81184ed417d19e5b0b920b72530dd8e5e |
| SHA256 | af9f8ee2fd61d8ae56a0fb8e2cc862807b7e8d637e33cda11da3e19858a169ba |
| SHA512 | e014100b63f049e4b0f7fd36f88a1e368687e0520c312adf36b8c336649754516b90467aeb1ebe9c91b06a0230f93d263543f69b4f2aa78b4c0605634f6aa92d |