dragonforce | 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Size

147KB
MD5

40126b1b3c6f86194fc554cdba3cb5d3
SHA1

a05551c8536eb6489651a9481911d107fd1c34ef
SHA256

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409
SHA512

045711fc010aba7ae338351fe825575bda270636c5c983484faae980655b50dc0196a74964f115fb73235bbae1e6013351e5dc573865e848669fdb43272a4278
SSDEEP

3072:a6glyuxE4GsUPnliByocWepvOdS3A/bB1Ba3:a6gDBGpvEByocWeGSQzN

Score

10^/10

dragonforce defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\uBBbnTEl1.README.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: BD7CA47B4E141060625DB49F86B2330C to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D9B7.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	D9B7.tmp

Deletes itself 1 IoCs

Processes:

D9B7.tmp

pid	Process
2448	D9B7.tmp

Executes dropped EXE 1 IoCs

Processes:

D9B7.tmp

pid	Process
2448	D9B7.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPteqmei2bu54238600zlz0tj4c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPixslvvv0vr8hmawxootgiqngd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlwuvw32lqw11b4y3h942brn4d.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeD9B7.tmp

pid	Process
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2448	D9B7.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeD9B7.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D9B7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

pid	Process
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

D9B7.tmp

pid	Process
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp
2448	D9B7.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeDebugPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: 36	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeImpersonatePrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeIncBasePriorityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeIncreaseQuotaPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: 33	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeManageVolumePrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeProfSingleProcessPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeRestorePrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSystemProfilePrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeTakeOwnershipPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeShutdownPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeDebugPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeBackupPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Token: SeSecurityPrivilege	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE
4872	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeprintfilterpipelinesvc.exeD9B7.tmp

description	pid	Process	procid_target
PID 2264 wrote to memory of 3064	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	94
PID 2264 wrote to memory of 3064	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	94
PID 3000 wrote to memory of 4872	3000	printfilterpipelinesvc.exe	101
PID 3000 wrote to memory of 4872	3000	printfilterpipelinesvc.exe	101
PID 2264 wrote to memory of 2448	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	102
PID 2264 wrote to memory of 2448	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	102
PID 2264 wrote to memory of 2448	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	102
PID 2264 wrote to memory of 2448	2264	5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe	102
PID 2448 wrote to memory of 2900	2448	D9B7.tmp	103
PID 2448 wrote to memory of 2900	2448	D9B7.tmp	103
PID 2448 wrote to memory of 2900	2448	D9B7.tmp	103

C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3064
- C:\ProgramData\D9B7.tmp
  "C:\ProgramData\D9B7.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D9B7.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4312

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{EA44AF2A-0594-4663-9A0D-9CC5F6DCA07D}.xps" 133764972849610000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini

Filesize
129B

MD5
d2fb427e1989d029e6843443429ac2b0

SHA1
04eaacbae57bb3aa0b1d2e8de47e5a723e87b3b6

SHA256
47735317f3692bae2713c41de32c54f80337e8b91ce07f258fb61a1bc5632e29

SHA512
13a8d26743792eebbbfcb7118d66772ff9a34db67178aa559e0dbf503031815b5429170ba6dc202a1ca92f9db14e499a279c1f0ae351f8cc8f5da9993ad566af

Download Submit
C:\ProgramData\D9B7.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Filesize
147KB

MD5
a6a4d7290a56bc89e7e5c1976375ef96

SHA1
61f6220cd17bf88b5e8d6eb1deecdf6b6e07dfe8

SHA256
2af317d4803e9ba417fcbde28e17026466ddf705cd5e0ff5d67aba4a292b4e70

SHA512
7b107c6467b5dfa4f4c92417c0f5c0f1c17b49ef997d2ce03002b0346f7eadfb38ce1d619e8da41110d90fc3956b12fd5e96961e5c6ff0abe3600dfff607d4cd

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
68KB

MD5
18344eeb0f6f71123944e3822563252f

SHA1
61a919c229ecd514b2d32439e5b5436e90d9ade0

SHA256
4c50930704349e34e4632252b26292523d3b8a26f1aafad29d30f0401ab29a11

SHA512
54e577dfa1ff21bad47e580a1a6498b56d43b64184fd0da87b7a1bf86d9fd10b18d8bc250ee52873bdd4d82b804065ea84c13d1c38e03f9d06c8d6f1128bdd7a

Download Submit
C:\uBBbnTEl1.README.txt

Filesize
1KB

MD5
24a1253f461767a69110d461b1c427ab

SHA1
6b72c578012088753089a069888405a0234575e0

SHA256
e5ee992636227ff21ff88c47d1982ef35636391f3515ffdb54486aa6e32f47ff

SHA512
8573a36ae39ff4c13c393c4a5fa3aa67afb120be62698ce70999a65fadaba7a124e826906657defbcc47f2a76566a88e803eb282b3cb5ba7e811c5df50d372b2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD

Filesize
129B

MD5
de70dcab654a6abb31edb0ae9f758ec5

SHA1
2a6523514b27ca0887d3999561ff07c451ac0018

SHA256
ef9322b255b889482724a9b959034784912564b8cdf8679911aa65c87ee3e5f7

SHA512
b034c1d18e21a91b40cb3eed529be92f89d7b91f491ae35c8cb54b05737c979fe07abcc17a5a5fa7825a28bc94665a0d1146d103c4c818f398bce28d6474133b

Download Submit
memory/2264-2908-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/2264-2909-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/2264-1-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/2264-2910-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/2264-0-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/2264-2-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/4872-2929-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/4872-2928-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/4872-2926-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/4872-2934-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/4872-2935-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/4872-2958-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

Filesize
64KB

Download
memory/4872-2959-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

Filesize
64KB

Download