blackmatter | b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

Resubmissions

15-09-2021 14:22

210915-rp15zsdghq 10

Analysis

max time kernel
84s
max time network
139s
platform
windows10_x64
resource
win10-de
submitted
15-09-2021 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Size

80KB
MD5

cdece7491402c7cb06964ffc680d791a
SHA1

8c5427baa48d840bc7508eeaa7c091d368a68e0a
SHA256

b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a
SHA512

5ff6eb1f81bb309aede35a9aef26ea587b6c2e49bea66f6e91bf1dbc02cc978869a1bfd376b524522cc8bf99f48ee7f62db9322212342bc4d7af40984290e501

Score

10^/10

blackmatter persistence ransomware

Malware Config

Extracted

Path

C:\fViGXl6GW.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen some amount of data automatically (reach us to get the amount). If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/9YDGH04DC6ZS7RP0085Q >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/9YDGH04DC6ZS7RP0085Q

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4548 created 4296	4548	svchost.exe	80

Executes dropped EXE 1 IoCs

pid	Process
4796	FileSyncConfig.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\WatchRepair.tiff.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\ConfirmUnpublish.raw => C:\Users\Admin\Pictures\ConfirmUnpublish.raw.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmUnpublish.raw.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\RenameCompare.tif => C:\Users\Admin\Pictures\RenameCompare.tif.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\RenameCompare.tif.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRepair.tiff	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
File renamed	C:\Users\Admin\Pictures\WatchRepair.tiff => C:\Users\Admin\Pictures\WatchRepair.tiff.fViGXl6GW	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Loads dropped DLL 9 IoCs

pid	Process
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe
4796	FileSyncConfig.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fViGXl6GW.bmp"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fViGXl6GW.bmp"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallpaperStyle = "10"	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ = "IFileSyncClient10"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileSyncShell.dll"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ = "IGetLibrariesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\VersionIndependentProgID\ = "NucleusNativeMessaging.NucleusNativeMessaging"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.FileSyncClient.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ = "IIsMappingValidCallback"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\TypeLib\ = "{F904F88C-E60D-4327-9FA2-865AD075B400}"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\ProgID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.160.0808.0002\\FileSyncShell.dll"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CURVER	OneDriveSetup.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4296	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe
4576	OneDriveSetup.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeBackupPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeDebugPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: 36	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeImpersonatePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeIncBasePriorityPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeIncreaseQuotaPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: 33	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeManageVolumePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeProfSingleProcessPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeRestorePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeSecurityPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeSystemProfilePrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeTakeOwnershipPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeShutdownPrivilege	3976	b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
Token: SeBackupPrivilege	4036	vssvc.exe
Token: SeRestorePrivilege	4036	vssvc.exe
Token: SeAuditPrivilege	4036	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4296	OneDriveSetup.exe
Token: SeTcbPrivilege	4548	svchost.exe
Token: SeTcbPrivilege	4548	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4576	4548	svchost.exe	84
PID 4548 wrote to memory of 4576	4548	svchost.exe	84
PID 4548 wrote to memory of 4576	4548	svchost.exe	84
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	87
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	87
PID 4576 wrote to memory of 4796	4576	OneDriveSetup.exe	87

C:\Users\Admin\AppData\Local\Temp\b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe
"C:\Users\Admin\AppData\Local\Temp\b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3976-115-0x00000000011A3000-0x00000000011A5000-memory.dmp

Filesize
8KB

Download
memory/3976-116-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download