Analysis Overview
SHA256
9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896
Threat Level: Likely malicious
The file 9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896 was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (353) files with added filename extension
Renames multiple (262) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 09:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 09:24
Reported
2024-11-14 09:27
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Renames multiple (262) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00003.SPL | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPiniroqihktvbdoxk4_11w7s9d.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5400 wrote to memory of 5580 | N/A | C:\Windows\system32\printfilterpipelinesvc.exe | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
| PID 5400 wrote to memory of 5580 | N/A | C:\Windows\system32\printfilterpipelinesvc.exe | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe
"C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D0202900-F18F-4CE3-8530-80118D3A8DF4}.xps" 133760499026320000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\Adobe\Setup\README.txt
| MD5 | 002038f13b55ae292b5f46cfb527b76a |
| SHA1 | 9aa7673c7d25a28ba98f886ad438b5025812a382 |
| SHA256 | 03321470ae6c64e515109b2a271734863f9e17d51f1867843e05e142b1ed3e66 |
| SHA512 | 17a4d0655518563e723471794816aaf49fc47316d7d6110ad8aed842351bcea9887d43630d1423afe2263dfa518fb736745d07b1df0be8d3f51e2594d16c27c2 |
memory/5580-798-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp
memory/5580-799-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp
memory/5580-800-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp
memory/5580-801-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp
memory/5580-802-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp
memory/5580-803-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp
memory/5580-804-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{8EAB8140-CCB1-40D5-8D1D-8691D36B372D}
| MD5 | dbf7c19f1c2dfee37e47176b44751c1e |
| SHA1 | 093a67da0df6c35d86ed8f64c05a5213135b7e39 |
| SHA256 | 7a6b8afb11c13eb66664c6edf70da895fec39e84ac141c3937d3950fc3fd072c |
| SHA512 | 1ab390ead6e3c2fec0890f26ffae73c3c5a23c9904dac45cc7181c422e61aeeafe865377304390ff6742cfd017d25fa311d9906d5809f738c0f2e426b02203e2 |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 9cb9576e04b4ef5efd9c0511aa041b66 |
| SHA1 | 0e615c6512786bda5000ac1676eea1d8449dbaef |
| SHA256 | 3b67b831c94f6508f8d5e73fafcd6514239453bb24edf5df1571bc58365bc519 |
| SHA512 | 1bbc835170ab852e4c26210b7b01f8c1fa4147528c426b4bd7fd8f8a05d319ee34c0ab9e4290a8ee696dca6da20c18df0caf8356a3fc561fca6ff84839dc50e1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 09:24
Reported
2024-11-14 09:27
Platform
win7-20240903-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Renames multiple (353) files with added filename extension
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\background-image.jpg" | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe
"C:\Users\Admin\AppData\Local\Temp\9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896.exe"
Network
Files
F:\README.txt
| MD5 | 002038f13b55ae292b5f46cfb527b76a |
| SHA1 | 9aa7673c7d25a28ba98f886ad438b5025812a382 |
| SHA256 | 03321470ae6c64e515109b2a271734863f9e17d51f1867843e05e142b1ed3e66 |
| SHA512 | 17a4d0655518563e723471794816aaf49fc47316d7d6110ad8aed842351bcea9887d43630d1423afe2263dfa518fb736745d07b1df0be8d3f51e2594d16c27c2 |