blackmatter | b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

Resubmissions

15-09-2021 14:22

210915-rp15zsdghq 10

Analysis

max time kernel
84s
max time network
139s
platform
windows10_x64
resource
win10-de
submitted
15-09-2021 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Size

80KB
MD5

cdece7491402c7cb06964ffc680d791a
SHA1

8c5427baa48d840bc7508eeaa7c091d368a68e0a
SHA256

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a
SHA512

5ff6eb1f81bb309aede35a9aef26ea587b6c2e49bea66f6e91bf1dbc02cc978869a1bfd376b524522cc8bf99f48ee7f62db9322212342bc4d7af40984290e501

Score

10^/10

blackmatter persistence ransomware

Malware Config

Extracted

Path

C:\fViGXl6GW.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen some amount of data automatically (reach us to get the amount). If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/9YDGH04DC6ZS7RP0085Q >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/9YDGH04DC6ZS7RP0085Q

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

OneDriveSetup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4548 created 4296 4548 svchost.exe OneDriveSetup.exe
Executes dropped EXE 1 IoCs

Processes:

FileSyncConfig.exe

pid process

4796 FileSyncConfig.exe

description	pid	process	target process
PID 4548 created 4296	4548	svchost.exe	OneDriveSetup.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\WatchRepair.tiff.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\ConfirmUnpublish.raw => C:\Users\Admin\Pictures\ConfirmUnpublish.raw.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmUnpublish.raw.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\RenameCompare.tif => C:\Users\Admin\Pictures\RenameCompare.tif.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\RenameCompare.tif.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRepair.tiff	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\WatchRepair.tiff => C:\Users\Admin\Pictures\WatchRepair.tiff.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Loads dropped DLL 9 IoCs

Processes:

FileSyncConfig.exe

pid	process
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

description ioc process

File opened (read-only) \??\Z: b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

description	ioc	process
File opened (read-only)	\??\Z:	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fViGXl6GW.bmp"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fViGXl6GW.bmp"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

pid	process
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallpaperStyle = "10"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDriveSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeFileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileSyncShell.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\VersionIndependentProgID\ = "NucleusNativeMessaging.NucleusNativeMessaging"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ = "IIsMappingValidCallback"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CURVER	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exeOneDriveSetup.exeOneDriveSetup.exe

pid	process
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exevssvc.exeOneDriveSetup.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeDebugPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: 36	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeImpersonatePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeIncBasePriorityPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeIncreaseQuotaPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: 33	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeManageVolumePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeProfSingleProcessPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeRestorePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeSecurityPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeSystemProfilePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeTakeOwnershipPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeShutdownPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeBackupPrivilege	4036	vssvc.exe
Token: SeRestorePrivilege	4036	vssvc.exe
Token: SeAuditPrivilege	4036	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4296	OneDriveSetup.exe
Token: SeTcbPrivilege	4548	svchost.exe
Token: SeTcbPrivilege	4548	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

svchost.exeOneDriveSetup.exe

description	pid	process	target process
PID 4548 wrote to memory of 4576	4548	svchost.exe	OneDriveSetup.exe
PID 4548 wrote to memory of 4576	4548	svchost.exe	OneDriveSetup.exe
PID 4548 wrote to memory of 4576	4548	svchost.exe	OneDriveSetup.exe
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	FileSyncConfig.exe
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	FileSyncConfig.exe
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	FileSyncConfig.exe

C:\Users\Admin\AppData\Local\Temp\b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
"C:\Users\Admin\AppData\Local\Temp\b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
MD5
482f6e8cdb127285f003a1e735a3791e

SHA1
24205c984f66bf5701e123f6b189699551553936

SHA256
a2e7f10da89bb038118a08699a32fe59861304ecd206d2d0f60f966514172559

SHA512
20e95b9e19d116239720261af25c66ffa9ae4eb1483af689e374f505d2e1af811bbb28f04f2bdd126f43180cb312375797ec0c193ce5d52cc3757d5a197daf5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.DLL
MD5
f5fe453d483dca5a85fdd74bbbb7cffa

SHA1
c7cd1089b520a7a21bdbe84a311b86f4c395a550

SHA256
5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

SHA512
6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\MSVCP140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
MD5
7bfedf5e7dda62c9014fb4b07f8d7814

SHA1
b3bb93818b1c482cff1e965599678ae91fb5ffa9

SHA256
a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

SHA512
de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
MD5
5888321cc9a6abd980e76b8e359f5cc2

SHA1
8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

SHA256
0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

SHA512
3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\VCRUNTIME140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
MD5
302bd09702c88a86ccfaa8c16fe4aec4

SHA1
b4a10c2f2646f56f988fe861b1f9381886e0da89

SHA256
4539e9dd0c3ee0248f882e9a1d1924fb2a8d7f5c43133b796714a936274600e8

SHA512
758e00ceb1459a35612f4c546bc0fc78c28fafd7ca37bc647342d6c538b85c9caeb51eb0a348d9960b61f769cd6927f2a049d28e120daf54e1b48800e62eab59

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\LoggingPlatform.dll
MD5
f5fe453d483dca5a85fdd74bbbb7cffa

SHA1
c7cd1089b520a7a21bdbe84a311b86f4c395a550

SHA256
5cbe72a49f2f4a821768e978a7c1426f46d1f73d2bb07325e85b20ada8eb514a

SHA512
6e4490d3b09ad3289892eb63f0c2978347095aed0ee282bfe69c5e599735db8a0494c9d0d25e14a2f09ab0c25c2ea75d91e5753c5b9a77ef1d7e647600a77a71

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\Telemetry.dll
MD5
7bfedf5e7dda62c9014fb4b07f8d7814

SHA1
b3bb93818b1c482cff1e965599678ae91fb5ffa9

SHA256
a6c2d9050758272d0b43a68f3e50925c65b11353776ec7b8a52a4095c9ba6b39

SHA512
de4a7596e4031e2cd91c4484ae3eba873ac96cc96ed54221d2d766010407d83211cd00ad49afb7a4cee1eafc4a3fc46ed0d92c2e30c32e0fe76ae9212e213a9a

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\UpdateRingSettings.dll
MD5
5888321cc9a6abd980e76b8e359f5cc2

SHA1
8b0cf82d39f5c45d710f962bd305fe3aa89c30cd

SHA256
0be7e06ff418080feb0cda6d063ac3389028e7c539c88d7a2a5a4706c56f4d7c

SHA512
3e56b88f09eaf86b4e05746a1f228be472bd0f6e30b2a66f4319783d03dd21f0ece1d8eef9ca89018cc38117fa27cc6f01e1bebe1450b857205a998542a5390c

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\msvcp140.dll
MD5
0c6f22feabe8f0fe0f4fca7406e19e48

SHA1
c1ff9723bb6c25d27704086521767822b2eb3450

SHA256
2895cd42592984d436de580e4ffe64dceaa7fde7c1a1579351d76c6c886432cb

SHA512
d58a7ea83e8675ed9d0736760c756642869f4c6c4343432b36605ab1711d65e60a01520f3daafb0023d9add6e7b87887e8f8dc28fc258fbfdc3b1ebfe6a9cedb

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\vcruntime140.dll
MD5
b33654014faaa8eec2d2985d45fd0792

SHA1
b43ce9aa087b18928c1d251205f8cbddda960530

SHA256
2cb10ea301da2f6484cf9dbac28d334b10a0bc57df2ad92660bbd01f3c43b268

SHA512
66f1df58db0a1faf6bf1e5bf22c1521042f52b38b1cdb4868db9925e800c55a47b23e5d25da9ffad741a3ae8c5678861c3b35c10aa61a2c3858338f841b42702

Download Submit
memory/3976-115-0x00000000011A3000-0x00000000011A5000-memory.dmp

Filesize
8KB

Download
memory/3976-116-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4576-117-0x0000000000000000-mapping.dmp

Download
memory/4796-119-0x0000000000000000-mapping.dmp

Download