Resubmissions
14-01-2022 07:24
220114-h8pfvsehf8 1012-05-2021 05:57
210512-aqe1a5ra6a 1012-05-2021 04:08
210512-1jz67cazwa 10Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 04:08
Static task
static1
Behavioral task
behavioral1
Sample
c4da0137cbb99626fd44da707ae1bca8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c4da0137cbb99626fd44da707ae1bca8.exe
Resource
win10v20210410
General
-
Target
c4da0137cbb99626fd44da707ae1bca8.exe
-
Size
60KB
-
MD5
c4da0137cbb99626fd44da707ae1bca8
-
SHA1
a38e9891152755d9e7fff7386bb5a1bca375bd91
-
SHA256
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
-
SHA512
dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645
Malware Config
Extracted
C:\\README.aeef1a75.TXT
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\WaitProtect.crw.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromGroup.raw.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\NewMount.raw.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\OptimizeUse.tiff.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\StepSet.raw.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\UnpublishInstall.png.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe -
Drops startup file 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.aeef1a75.TXT c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.aeef1a75.TXT c4da0137cbb99626fd44da707ae1bca8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 10 IoCs
Processes:
OfficeClickToRun.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 OfficeClickToRun.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\aeef1a75.BMP" c4da0137cbb99626fd44da707ae1bca8.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
OfficeClickToRun.exeOfficeClickToRun.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
Processes:
SearchUI.exeOfficeClickToRun.exeOfficeClickToRun.exeSearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Modifies Control Panel 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
OfficeClickToRun.exeOfficeClickToRun.exec4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000045f2a43814c9a94f8b25ef795f13414a0000000002000000000010660000000100002000000042d6e26c423931aeb7d6bf95ec379465d73ae69edbde17660a2b9c63eb3f39a9000000000e8000000002000020000000b0beaf1747fb5462161e23dfa041ac5ba2a7838cc9cfaeb6828eedf53d0898d5f00300005d5ac30ac94fcdf989e5f780dd2a05733b92360faa8760e3fa3521fdf9be7c61fef927b4f294b41174850c657f0ca65d13a91aeca2f588cf50153f84b225ae56d3889ab7e461d61dd14424dbd3f4a58783b5911a8cc07f1d9d4286ff7a894dbf65a3fd285c32d913786b1d783335e63b4fba9bc92a337190a45de5e6ffaeee16ec69bd5fca6f241e8ccb5829f9827022c62ac4776df86cfd1e72a293a9407a055834c3e30520bab6b43f1fcee55bc07b321a3ffa68bda2134c0fcb87cbc9fc2cdb23dbe96c6f6b113e054c95e1b0b09e9d8733e51360112b363d19c62672cc7c3291acb13a4e68314450c9b54277b77a6df35c036898ee05b4b5d1f8ac2287db2feff444d17f964dd3abd41b37b47c10e639d749636850477a4bb305d649b7c1d3a02939859643691b9ede4f361f8c9fd616b300c15a6cf37d0e49553a65b6e37c4596594ef80e491ead0491565b670701a8af7fab2305cbc3626a7c4f850f2ad6e14ab801c96c80a96902d535c5a1074739ed89f04870def41af512b073b72be6a490165b34120dbf67d8ef328b7a64bedaae916d538c914876e4a8fc83d85d9e79934ab9979588455260cb57777ffc2b415dbbbc16a9a1ba9ca2c504f5d276f664b3b865d690308bdf775b046295d51aff9f86eb106094073ea12a39deee37f9b7f826ce23c909a65416787358c80bc632a36d6ad46d55520699676738eecc4e17bc513ed72029cc3886d67c473edd10ef738201454378ed6d634a50eaa19cb3f8d2cc29308c7722c017d4c335c9b2ce56662af6da4e10eeeb36c29223fd02d32007d5d300ce06977feb6bab3c05b37f3f077cec02f1a3d9f1d604fdf039990b105f39a62cfd0a94f421bc2f2c6fdb2e1c5f8990a5dcce44188261628cce1437c51b8a88b00d5fca959acaff1ff78922d7f7c538577727547eec308ce8e18ff1f819f5328da3aa1ff69ad435f1ecb4193645c2bbf05d3d66d0e77796d85244331a41ce71741206050e649bd9454775b0d0fdee7b83f92c612382028a637feff71c4ceda12dd9e2754a11765c6a0fd1b116f2e9ce18f51e15d954c4de5f73829ceacccefd95b5dece85147c782bdb8ed95a017a94d6cf98c43b6172370bdf5413be7a681551cdc15b39686c41ffb343091e5b4b20c60219457754db3a022e8a5865dd96a172b5c03a8b6b671be2444ef652a558c4670d4e3db424a8769ca30694693477c8c9eeed8143cac1480bf5388cd7b82a5f7cf3a53ce9be1fc962957baaabb9e14a34d989e42d4c9980c63b0b64e897ff2ef73ec863b3e34800d61ef06877fe6aae240972c3f8f5ea9750143879f8767e36dbfcf9a6d73aa196fc2e328c7409672e76bb5147ffb3ce3f52cfae299885bda4db377b63b5f29da24de96a10bb7ed6ffbe30380c7b2641e9910980400000009480fc95bcc96aa0e43745995ee18b759b449473da958c9ce0dbb2ec2da7df6753960cfd6fde258b81d26704097ca68d0572872c795149cca3dfc0679517a5f4 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "001800057D984715" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUPrSa9Xbh1D0J93uIPuLO4a+WXwAOZgAAEKcbqGYzKQAtAtMufwS/AzvgANFlpKlFxBR5PN0AVm7SazlTwTV1WhEvat5ONewyPedeR3ex6lVmJ7sPTre1KvhGDAf+JwHLBZ8zF3YaRp21/IN+uOqb508BtZC0RcXSr+TK9ZCH4yAMHYRwEPyU0lyZIQiPAaSHU8wBAiIs85T5Y3Gu0cHIdO5IDaqCAdgL3a1SlUgdDL8ynB1Ldjbx/QvQxDSeftjR5jTzNAiT+IptSGnsG+cgvsEAZduI5dcshBFC+MEGwqmG14b+Ka+FniuSINP2NlF6fuamUwpYLNG+EganFlgJ+Zeswh9qm4TB5UfpGwE=&p=" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\aeef1a75.BMP" c4da0137cbb99626fd44da707ae1bca8.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001800057D984715 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000045f2a43814c9a94f8b25ef795f13414a00000000020000000000106600000001000020000000f5f889f9806bd8170b78ac01be4d9978a929a2bff138bb6fcdaaec1e7e4f9e70000000000e8000000002000020000000216eb6270edafab9af7715167fcb1d326edb955e0ae6fd4fc2c15ac1ffbecf4480000000ab321e542a4c72beb9904c96edb30f1c669187ef4a037dd25d743da38b5e9df1b87d482f31950311c8432013d7df79aa64fce71b8f4d1c3ff69278e4b17239c8b0e15cb1b9f2722aa9fe7696859ea21f49c6d72889b8d634defa0c7fb22bc2ff0fc81679036cb650fa32ecff9b838d669c535b42d98344efbe6fd1be381776f240000000a7f25ee937ba0abf4b779fd1a32b1ef150801795e2ce766f1808190bfc963767cb25ff474d96dea8c974ca354d6cd9fe41316b67ffd59d8e5066a6eafbbfabac OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe -
Modifies registry class 44 IoCs
Processes:
SearchUI.exec4da0137cbb99626fd44da707ae1bca8.exeSearchUI.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75\ = "aeef1a75" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75 c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon\ = "C:\\ProgramData\\aeef1a75.ico" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
OfficeClickToRun.exeSearchUI.exeOfficeClickToRun.exeSearchUI.exepid process 2504 OfficeClickToRun.exe 60 SearchUI.exe 3884 OfficeClickToRun.exe 2288 SearchUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exec4da0137cbb99626fd44da707ae1bca8.exedescription pid process target process PID 204 wrote to memory of 2076 204 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 204 wrote to memory of 2076 204 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 204 wrote to memory of 2076 204 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2076 wrote to memory of 1436 2076 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2076 wrote to memory of 1436 2076 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2076 wrote to memory of 1436 2076 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exeC:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe -work worker0 -path \\?\C:\3⤵
- Modifies extensions of user files
- Drops startup file
PID:1436
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2504
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:60
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\09XU2J0F\microsoft.windows[1].xml
MD521c43abf4f002c318ff62d8e65bb34e7
SHA150f7b5932addf88e0d665dc4c28d593e8f705638
SHA25664007b1d2906a4c89f6e79b47f6fef8d24403138297de78576c092421c39f1d0
SHA5122778e8a627e02c595c14384f6cb277b84b47525bc4428505b9411960c9a5eff29c57125bcf471eff48b0db35d06bfc49b3ddd9b36bbc6e6220bc5f6381e50be9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal
MD5d52e02027f2548fc6875057168908233
SHA171ecc5fef6429258fe038a1e04180be1ff452491
SHA256cb7b0ffcffb8066b709d75c7c6e9d28df78a4c76c82807ebe6c4fd7d596fae78
SHA5124e682bd2845599e6426cb6ae64c79a3f326c15447fe1c8b6109568032543a443ad9922819a4cbddac2b388322089660edb3a6e9dfd884accee26517601437345