Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 02:45
Behavioral task
behavioral1
Sample
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
-
Size
147KB
-
MD5
40126b1b3c6f86194fc554cdba3cb5d3
-
SHA1
a05551c8536eb6489651a9481911d107fd1c34ef
-
SHA256
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409
-
SHA512
045711fc010aba7ae338351fe825575bda270636c5c983484faae980655b50dc0196a74964f115fb73235bbae1e6013351e5dc573865e848669fdb43272a4278
-
SSDEEP
3072:a6glyuxE4GsUPnliByocWepvOdS3A/bB1Ba3:a6gDBGpvEByocWeGSQzN
Malware Config
Extracted
Path
C:\uBBbnTEl1.README.txt
Family
dragonforce
Ransom Note
Hello!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay.
--- Our communication process:
1. You contact us.
2. We send you a list of files that were stolen.
3. We decrypt 1 file to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
--- Client area (use this site to contact us):
Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
>>> Use this ID: BD7CA47B4E14106011CCE0924E78F01F to begin the recovery process.
* In order to access the site, you will need Tor Browser,
you can download it from this link: https://www.torproject.org/
--- Additional contacts:
Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
--- Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
--- Important:
If you refuse to pay or do not get in touch with us, we start publishing your files.
02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog.
Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Signatures
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FFEC.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FFEC.tmp -
Deletes itself 1 IoCs
Processes:
FFEC.tmppid Process 624 FFEC.tmp -
Executes dropped EXE 1 IoCs
Processes:
FFEC.tmppid Process 624 FFEC.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP9ml5n3y29fagdq94kp0z4wa5d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPf16_fnbhk9h2fyvea70cw857.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP9wngjt52lhrvu49zdb8hda5vc.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeFFEC.tmppid Process 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 624 FFEC.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeFFEC.tmpcmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FFEC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exepid Process 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
FFEC.tmppid Process 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp 624 FFEC.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeDebugPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: 36 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeImpersonatePrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeIncBasePriorityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeIncreaseQuotaPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: 33 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeManageVolumePrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeProfSingleProcessPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeRestorePrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSystemProfilePrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeTakeOwnershipPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeShutdownPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeDebugPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE 2728 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exeprintfilterpipelinesvc.exeFFEC.tmpdescription pid Process procid_target PID 2340 wrote to memory of 1744 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 92 PID 2340 wrote to memory of 1744 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 92 PID 2028 wrote to memory of 2728 2028 printfilterpipelinesvc.exe 97 PID 2028 wrote to memory of 2728 2028 printfilterpipelinesvc.exe 97 PID 2340 wrote to memory of 624 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 98 PID 2340 wrote to memory of 624 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 98 PID 2340 wrote to memory of 624 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 98 PID 2340 wrote to memory of 624 2340 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 98 PID 624 wrote to memory of 3960 624 FFEC.tmp 99 PID 624 wrote to memory of 3960 624 FFEC.tmp 99 PID 624 wrote to memory of 3960 624 FFEC.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1744
-
-
C:\ProgramData\FFEC.tmp"C:\ProgramData\FFEC.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FFEC.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:3960
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3536
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{13598959-F730-4FBE-9753-0C1690D6A751}.xps" 1337654439147000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e5f7264d78ec0f9bfa8756968387164c
SHA13956b7dd92c3964fafcb0893c69748faab12ff1d
SHA256a558adca2cf18571ba956d54c3f46fab25098eacc724f8411898469091e097ee
SHA51247f6e97616ce414ab1e5fe1395ddd075b524f562eae525e03cf06d411260cfd2abec31c4549507a60578cdb37e7e699302b7f0d7a7492131d2e74c7b20701e6c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD5bc8ca812eaf5760147d7dda31ff4a7f2
SHA1c754fb95e94d9c918713dbd1e01828699042d2c0
SHA2562fd6024808b110720bae5383ba827a87a43c8d7d1d99b48d29edd10e6f41933d
SHA512a478126f907f86ec6003732f39d64b6f296a8f002b053bf852e87557890fa10806ac28fe87afa7a8c4490b6ff8a449535b6b2465f2630e0dff0074bca40822c0
-
Filesize
4KB
MD54e2d4da2d2fa742434e1828e048f3da3
SHA1deaca072fb2d81034aee5a39d8e067e4b8b0d777
SHA256fbd3ca7588cec1c09227d32a61cc64ab23138b936eaaae037764b5686bb34b27
SHA5129a8047d6e6355525bb089c2a742e11ffdd8aa160c3d718145fb7fcf97acaa16539acd8e818b297afeb864d759ba626260b6864da6186b321a191aa1265be96fe
-
Filesize
1KB
MD5879a80b42bf9d63273befc73d7489442
SHA1940335c08a7cd3823c5d3cc9d6622dd0894ea7fd
SHA2567977ada666aed17520e038287da9ee6e1fceea431aeae953b5058c3c457cad01
SHA51227c480d5256a7d5a52d637ddcc08873650c02ccd133431879cc238a1f1256729ec4fba6501f5a191156d2f1436c1f8079ddd593b4c1e6e4bdcf6a75bcb8eb736
-
Filesize
129B
MD53fc2f1d2b8b6d0dcc61a83f579aa46e3
SHA16f77dcfd8966735c00a53e51891964ebc84acd73
SHA25620e0c512aa8ad1784c1ab560ededf83af2fd33b485f974c4f0843f120169d330
SHA5125895f59e119b7d61acc90c48f2f181e6be44948357fd592f6f6a366e3f39bc4d51097d5c6ed8dbc2dd82b46423c88564e649e9e820c77845d40c31c37b04b6e1