rustybuer | e81ccda9157a84d16d15cef0418c8ffc0839cea2cfd669bccf08198d5929ff25

Analysis

max time kernel
136s
max time network
137s
platform
windows10_x64
resource
win10-jp
submitted
10-09-2021 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26944aed6dfc2c25f96bbca49925fcaf.exe
Size

3.9MB
MD5

26944aed6dfc2c25f96bbca49925fcaf
SHA1

b2b7a7a659abf7fd2c5596c119478363e0b7f360
SHA256

64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7
SHA512

ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf

Score

10^/10

rustybuer loader persistence

Malware Config

Extracted

Family

rustybuer

https://awmelisers.com/

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1512 created 4596	1512	svchost.exe	85

Executes dropped EXE 1 IoCs

pid	Process
4424	FileSyncConfig.exe

Loads dropped DLL 6 IoCs

pid	Process
4424	FileSyncConfig.exe
4424	FileSyncConfig.exe
4424	FileSyncConfig.exe
4424	FileSyncConfig.exe
4424	FileSyncConfig.exe
4424	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	secinit.exe
File opened (read-only)	\??\j:	secinit.exe
File opened (read-only)	\??\r:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\k:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\v:	secinit.exe
File opened (read-only)	\??\w:	secinit.exe
File opened (read-only)	\??\x:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\h:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\m:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\a:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\q:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\s:	secinit.exe
File opened (read-only)	\??\u:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe
File opened (read-only)	\??\f:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\y:	secinit.exe
File opened (read-only)	\??\D:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\p:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\t:	secinit.exe
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\z:	secinit.exe
File opened (read-only)	\??\n:	secinit.exe
File opened (read-only)	\??\o:	secinit.exe
File opened (read-only)	\??\b:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\e:	secinit.exe
File opened (read-only)	\??\g:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\l:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\ = "INucleusNativeMessaging"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ = "FileSyncClient Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient\CurVer	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\FileCoAuthLib.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\odopen\DefaultIcon	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ = "IMapLibraryCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\NucleusToastActivator.NucleusToastActivator.1\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\FileCoAuth.exe\""	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.150.0725.0001"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\WIN32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\msnucleus\shell\open\command	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4596	OneDriveSetup.exe
4596	OneDriveSetup.exe
4596	OneDriveSetup.exe
4596	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1812	OneDriveSetup.exe
1296	secinit.exe
1296	secinit.exe
1296	secinit.exe
1296	secinit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4596	OneDriveSetup.exe
Token: SeTcbPrivilege	1512	svchost.exe
Token: SeTcbPrivilege	1512	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1812	1512	svchost.exe	90
PID 1512 wrote to memory of 1812	1512	svchost.exe	90
PID 1512 wrote to memory of 1812	1512	svchost.exe	90
PID 1812 wrote to memory of 4424	1812	OneDriveSetup.exe	92
PID 1812 wrote to memory of 4424	1812	OneDriveSetup.exe	92
PID 1812 wrote to memory of 4424	1812	OneDriveSetup.exe	92
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95
PID 5012 wrote to memory of 1296	5012	26944aed6dfc2c25f96bbca49925fcaf.exe	95

C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe
"C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4424

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:4284

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-129-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1296-134-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/5012-133-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download