0774bab2acc20b6cf91669dd916f3ee0bd152919e2533a4bb0f04e0c2539da3b

Analysis

max time kernel
92s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Size

147KB
MD5

e3e89421797130de9f4edebdd1980522
SHA1

f3fad656375518254c520e5dc7d94a495443db7e
SHA256

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e
SHA512

94d3670b2e2af3c18d4f441340973045bb9b658f401cf20e27b7376fdb4c37e7e8d2d39fa2f417536987957a5af7f81c44f433fa3cd392c288d852b427af38ec
SSDEEP

3072:h6glyuxE4GsUPnliByocWepKooaLxQ3Rmz:h6gDBGpvEByocWeD8Rm

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\blADqpmVf.README.txt

Ransom Note

>>>> Your data are stolen and encrypted if you do not pay the ransom The Your data permanently deleted >>>>What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and your data will not be disclosed . Life is too short to be sad. Be not sad, money, it is only paper. You can contact us and use your personal decryption ID to decrypt a file for free >>>>Your personal DECRYPTION ID: 79F912B255565ED7DA189ACCAFAF1B9F If we do not give you decrypters after payment, then nobody will pay us in the future. Therefore, our reputation is very important to us. You can contact me by email. Email:[email protected] Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs and you will restore all the data. >>>>Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

Emails

Email:[email protected]

[email protected]

Signatures

Renames multiple (634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CB02.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	CB02.tmp

Deletes itself 1 IoCs

Processes:

CB02.tmp

pid	Process
1540	CB02.tmp

Executes dropped EXE 1 IoCs

Processes:

CB02.tmp

pid	Process
1540	CB02.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPxydwnctxl50dml2y__l0710mc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP_0zs_tpir6ertr4v26j1cxm9c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPe15kjc735ic4ks09rkizux0tb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\blADqpmVf.bmp"	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\blADqpmVf.bmp"	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exeCB02.tmp

pid	Process
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
1540	CB02.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exeCB02.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CB02.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\WallpaperStyle = "10"	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Modifies registry class 5 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blADqpmVf	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blADqpmVf\DefaultIcon\ = "C:\\ProgramData\\blADqpmVf.ico"	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blADqpmVf	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blADqpmVf\ = "blADqpmVf"	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blADqpmVf\DefaultIcon	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

pid	Process
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

CB02.tmp

pid	Process
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp
1540	CB02.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeDebugPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: 36	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeImpersonatePrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeIncBasePriorityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeIncreaseQuotaPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: 33	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeManageVolumePrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeProfSingleProcessPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeRestorePrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSystemProfilePrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeTakeOwnershipPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeShutdownPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeDebugPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeBackupPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
Token: SeSecurityPrivilege	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE
2160	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exeprintfilterpipelinesvc.exeCB02.tmp

description	pid	Process	procid_target
PID 2428 wrote to memory of 1940	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	90
PID 2428 wrote to memory of 1940	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	90
PID 4116 wrote to memory of 2160	4116	printfilterpipelinesvc.exe	99
PID 4116 wrote to memory of 2160	4116	printfilterpipelinesvc.exe	99
PID 2428 wrote to memory of 1540	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	100
PID 2428 wrote to memory of 1540	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	100
PID 2428 wrote to memory of 1540	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	100
PID 2428 wrote to memory of 1540	2428	2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe	100
PID 1540 wrote to memory of 3312	1540	CB02.tmp	102
PID 1540 wrote to memory of 3312	1540	CB02.tmp	102
PID 1540 wrote to memory of 3312	1540	CB02.tmp	102

C:\Users\Admin\AppData\Local\Temp\2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe
"C:\Users\Admin\AppData\Local\Temp\2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1940
- C:\ProgramData\CB02.tmp
  "C:\ProgramData\CB02.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CB02.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1136

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{06238625-B53F-4624-BEDF-10EE983E87A3}.xps" 133776907166230000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\PPPPPPPPPPP

Filesize
129B

MD5
9efa74f6aecd0de29e1f03a647ce40d5

SHA1
cda34f2eba3901d6c743852072be4c30ddb2d0de

SHA256
3bc11b2b67255f463ecce35c6fb010f89be35844e886ca7bf4ab2de455f4dca2

SHA512
323093c460baa25319007b2449da3dc4897ccc158f8fc5c9d0b6a59fbb28c2580788dd04bbbbacf5e3e40d96cd26a2498334a4bd72f0e5e2bb208939b99cb34a

Download Submit
C:\ProgramData\CB02.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
50e36ea6018ae1f723d191208e4299bf

SHA1
7519a04f2f7292e0ebc92b3cc491a862b893a320

SHA256
7c229c140ebf4beee199466a0dde93023c1446cddb38195934c7d7cbc0e1b083

SHA512
75f00e20d38a6bfc43f9f2b722bb4d8794de209649645a0aef2484aa97ce90997621fb42589fc896dc30083b56e936b463875355a6272c3012ad88d12d498f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C340487F-9247-4541-B7A4-9233099FCB29}

Filesize
4KB

MD5
cf1718958641f38689076ee3874ccd11

SHA1
84bf62875c80ea3440e3e48cfa667fc3fb72c9bf

SHA256
92ce8e23029d47cc24a4c00ad2168967a57067f776f3a7293ff91f9bc4e8fb38

SHA512
0cc4978bfa4d284952118d508312ded7e106df3ea4d9999af6bdccfe7e178a09dccde15f09548a68f3b47d9040ddea51ed4494038fb491b26cc40fdb1e72742b

Download Submit
C:\blADqpmVf.README.txt

Filesize
1KB

MD5
f1fa19a31f8cffe84e3bd1e7b5d2c341

SHA1
03e3fea336348af25a33abe584246c4fc82f100d

SHA256
0e1e7e11e2d9d2abf234db549ba6ece795ba4b636266b42053d89529a34ddeb2

SHA512
a87c712c2af4cb22c384c57a343d608142844f12faea778bf383e07325b8e5c4ad8543b882a874d5c3d0729e6d2d0d836ed66bd6bdb923da6902e9ab77a7ee0b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\DDDDDDDDDDD

Filesize
129B

MD5
8257bf5ccc5af5e9a65bd65f86ece92f

SHA1
c38d7e906cf001da777e6fd0619fd21206ec3871

SHA256
3207400db7bee115f18d1049bddf50a5f238d2ded388b019624675d1c4290037

SHA512
631b5dccbd4234d87cefeab0356fdd2048f04ec1d0bb44345a69a1bc175de96a45d989e5defaa4cd122ec3f9322aa1a652f332dcd0a68e0c43ff64c3449f1550

Download Submit
memory/2160-2833-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

Filesize
64KB

Download
memory/2160-2828-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

Filesize
64KB

Download
memory/2160-2834-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

Filesize
64KB

Download
memory/2160-2832-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

Filesize
64KB

Download
memory/2160-2835-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

Filesize
64KB

Download
memory/2160-2864-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp

Filesize
64KB

Download
memory/2160-2865-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp

Filesize
64KB

Download
memory/2428-2814-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2428-2815-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2428-2813-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2428-2-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2428-1-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download