Overview
overview
10Static
static
3svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows7_x64
10svchost.bin.exe
windows11_x64
10svchost.bin.exe
windows10_x64
9svchost.bin.exe
windows10_x64
svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10svchost.bin.exe
windows10_x64
10Analysis
-
max time kernel
1755s -
max time network
1830s -
platform
windows10_x64 -
resource
win10-fr -
submitted
04-09-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
svchost.bin.exe
Resource
win7-jp
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svchost.bin.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
svchost.bin.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
svchost.bin.exe
Resource
win7-de
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
svchost.bin.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
svchost.bin.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
svchost.bin.exe
Resource
win10-fr
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
svchost.bin.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
svchost.bin.exe
Resource
win10-de
windows10_x64
0 signatures
0 seconds
General
-
Target
svchost.bin.exe
-
Size
6.6MB
-
MD5
2787bb2d1ab223f8ac2692f3a8fd85fc
-
SHA1
dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
-
SHA256
952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
-
SHA512
d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDriveSetup.exe -
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2568 created 692 2568 svchost.exe 97 -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 5072 FileSyncConfig.exe -
Loads dropped DLL 34 IoCs
pid Process 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 4120 svchost.bin.exe 5072 FileSyncConfig.exe 5072 FileSyncConfig.exe 5072 FileSyncConfig.exe 5072 FileSyncConfig.exe 5072 FileSyncConfig.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" OneDriveSetup.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal OfficeC2RClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3860 2340 WerFault.exe 90 -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 888 netstat.exe 2116 ipconfig.exe 896 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDriveSetup.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeC2RClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeC2RClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeC2RClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\OOBERequestHandler.OOBERequestHandler OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VERSIONINDEPENDENTPROGID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ = "IOneDriveInfoProvider" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CLSID OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VERSIONINDEPENDENTPROGID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\FileSyncShell.dll" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ = "StorageProviderUriSource Class" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\SyncEngine.dll\\2" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TYPELIB OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TYPELIB OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\TYPELIB OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusNativeMessaging.NucleusNativeMessaging\CLSID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\OOBERequestHandler.OOBERequestHandler\ = "OOBERequestHandler Class" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\Version = "1.0" OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001" OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32 OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\Version = "1.0" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\VersionIndependentProgID OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN64 OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\ = "SyncEngineStorageProviderHandlerProxy Class" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\Version = "1.0" OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32 OneDriveSetup.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2340 powershell.exe 2340 powershell.exe 2340 powershell.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 3860 WerFault.exe 692 OneDriveSetup.exe 692 OneDriveSetup.exe 692 OneDriveSetup.exe 692 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 2760 OneDriveSetup.exe 4120 svchost.bin.exe 4120 svchost.bin.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe Token: SeSystemProfilePrivilege 584 WMIC.exe Token: SeSystemtimePrivilege 584 WMIC.exe Token: SeProfSingleProcessPrivilege 584 WMIC.exe Token: SeIncBasePriorityPrivilege 584 WMIC.exe Token: SeCreatePagefilePrivilege 584 WMIC.exe Token: SeBackupPrivilege 584 WMIC.exe Token: SeRestorePrivilege 584 WMIC.exe Token: SeShutdownPrivilege 584 WMIC.exe Token: SeDebugPrivilege 584 WMIC.exe Token: SeSystemEnvironmentPrivilege 584 WMIC.exe Token: SeRemoteShutdownPrivilege 584 WMIC.exe Token: SeUndockPrivilege 584 WMIC.exe Token: SeManageVolumePrivilege 584 WMIC.exe Token: 33 584 WMIC.exe Token: 34 584 WMIC.exe Token: 35 584 WMIC.exe Token: 36 584 WMIC.exe Token: SeIncreaseQuotaPrivilege 584 WMIC.exe Token: SeSecurityPrivilege 584 WMIC.exe Token: SeTakeOwnershipPrivilege 584 WMIC.exe Token: SeLoadDriverPrivilege 584 WMIC.exe Token: SeSystemProfilePrivilege 584 WMIC.exe Token: SeSystemtimePrivilege 584 WMIC.exe Token: SeProfSingleProcessPrivilege 584 WMIC.exe Token: SeIncBasePriorityPrivilege 584 WMIC.exe Token: SeCreatePagefilePrivilege 584 WMIC.exe Token: SeBackupPrivilege 584 WMIC.exe Token: SeRestorePrivilege 584 WMIC.exe Token: SeShutdownPrivilege 584 WMIC.exe Token: SeDebugPrivilege 584 WMIC.exe Token: SeSystemEnvironmentPrivilege 584 WMIC.exe Token: SeRemoteShutdownPrivilege 584 WMIC.exe Token: SeUndockPrivilege 584 WMIC.exe Token: SeManageVolumePrivilege 584 WMIC.exe Token: 33 584 WMIC.exe Token: 34 584 WMIC.exe Token: 35 584 WMIC.exe Token: 36 584 WMIC.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 3860 WerFault.exe Token: SeIncreaseQuotaPrivilege 692 OneDriveSetup.exe Token: SeTcbPrivilege 2568 svchost.exe Token: SeTcbPrivilege 2568 svchost.exe Token: SeDebugPrivilege 888 netstat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3868 OfficeC2RClient.exe 3860 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 5052 wrote to memory of 4120 5052 svchost.bin.exe 78 PID 5052 wrote to memory of 4120 5052 svchost.bin.exe 78 PID 5052 wrote to memory of 4120 5052 svchost.bin.exe 78 PID 4120 wrote to memory of 500 4120 svchost.bin.exe 82 PID 4120 wrote to memory of 500 4120 svchost.bin.exe 82 PID 4120 wrote to memory of 500 4120 svchost.bin.exe 82 PID 500 wrote to memory of 584 500 cmd.exe 83 PID 500 wrote to memory of 584 500 cmd.exe 83 PID 500 wrote to memory of 584 500 cmd.exe 83 PID 4120 wrote to memory of 1308 4120 svchost.bin.exe 84 PID 4120 wrote to memory of 1308 4120 svchost.bin.exe 84 PID 4120 wrote to memory of 1308 4120 svchost.bin.exe 84 PID 1308 wrote to memory of 1480 1308 cmd.exe 85 PID 1308 wrote to memory of 1480 1308 cmd.exe 85 PID 1308 wrote to memory of 1480 1308 cmd.exe 85 PID 1480 wrote to memory of 1556 1480 net.exe 86 PID 1480 wrote to memory of 1556 1480 net.exe 86 PID 1480 wrote to memory of 1556 1480 net.exe 86 PID 4120 wrote to memory of 1748 4120 svchost.bin.exe 87 PID 4120 wrote to memory of 1748 4120 svchost.bin.exe 87 PID 4120 wrote to memory of 1748 4120 svchost.bin.exe 87 PID 1748 wrote to memory of 1848 1748 cmd.exe 88 PID 1748 wrote to memory of 1848 1748 cmd.exe 88 PID 1748 wrote to memory of 1848 1748 cmd.exe 88 PID 1848 wrote to memory of 1932 1848 net.exe 89 PID 1848 wrote to memory of 1932 1848 net.exe 89 PID 1848 wrote to memory of 1932 1848 net.exe 89 PID 4120 wrote to memory of 2340 4120 svchost.bin.exe 90 PID 4120 wrote to memory of 2340 4120 svchost.bin.exe 90 PID 2568 wrote to memory of 2760 2568 svchost.exe 100 PID 2568 wrote to memory of 2760 2568 svchost.exe 100 PID 2568 wrote to memory of 2760 2568 svchost.exe 100 PID 2760 wrote to memory of 5072 2760 OneDriveSetup.exe 103 PID 2760 wrote to memory of 5072 2760 OneDriveSetup.exe 103 PID 2760 wrote to memory of 5072 2760 OneDriveSetup.exe 103 PID 4120 wrote to memory of 2176 4120 svchost.bin.exe 107 PID 4120 wrote to memory of 2176 4120 svchost.bin.exe 107 PID 4120 wrote to memory of 2176 4120 svchost.bin.exe 107 PID 2176 wrote to memory of 2116 2176 cmd.exe 108 PID 2176 wrote to memory of 2116 2176 cmd.exe 108 PID 2176 wrote to memory of 2116 2176 cmd.exe 108 PID 4120 wrote to memory of 896 4120 svchost.bin.exe 109 PID 4120 wrote to memory of 896 4120 svchost.bin.exe 109 PID 4120 wrote to memory of 896 4120 svchost.bin.exe 109 PID 4120 wrote to memory of 888 4120 svchost.bin.exe 110 PID 4120 wrote to memory of 888 4120 svchost.bin.exe 110 PID 4120 wrote to memory of 888 4120 svchost.bin.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname3⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname4⤵
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:1556
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:1932
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2340 -s 19164⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2116
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:896
-
-
C:\Windows\SysWOW64\netstat.exenetstat -na3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5072
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"1⤵PID:4904
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3868
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3860