Overview
overview
10Static
static
e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows11_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10_x64 -
resource
win10-ja-20210920 -
submitted
05-10-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win11
Behavioral task
behavioral5
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-de-20210920
General
-
Target
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
-
Size
1.6MB
-
MD5
520d488564da102f5482fcfdcdbd266a
-
SHA1
45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
-
SHA256
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
-
SHA512
e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Registers COM server for autorun 1 TTPs
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File renamed C:\Users\Admin\Pictures\RevokeTrace.raw => C:\Users\Admin\Pictures\RevokeTrace.raw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\SendBackup.crw => C:\Users\Admin\Pictures\SendBackup.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Users\Admin\Pictures\ShowGet.tiff e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\ShowGet.tiff => C:\Users\Admin\Pictures\ShowGet.tiff.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\PingConvert.raw => C:\Users\Admin\Pictures\PingConvert.raw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\RenameInvoke.png => C:\Users\Admin\Pictures\RenameInvoke.png.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Drops startup file 1 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\THMBNAIL.PNG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White@2x.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ko.properties e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Common Files\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Modifies registry class 44 IoCs
Processes:
FileSyncConfig.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exepid process 3172 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe 3172 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 716 vssvc.exe Token: SeRestorePrivilege 716 vssvc.exe Token: SeAuditPrivilege 716 vssvc.exe Token: SeIncreaseQuotaPrivilege 4220 WMIC.exe Token: SeSecurityPrivilege 4220 WMIC.exe Token: SeTakeOwnershipPrivilege 4220 WMIC.exe Token: SeLoadDriverPrivilege 4220 WMIC.exe Token: SeSystemProfilePrivilege 4220 WMIC.exe Token: SeSystemtimePrivilege 4220 WMIC.exe Token: SeProfSingleProcessPrivilege 4220 WMIC.exe Token: SeIncBasePriorityPrivilege 4220 WMIC.exe Token: SeCreatePagefilePrivilege 4220 WMIC.exe Token: SeBackupPrivilege 4220 WMIC.exe Token: SeRestorePrivilege 4220 WMIC.exe Token: SeShutdownPrivilege 4220 WMIC.exe Token: SeDebugPrivilege 4220 WMIC.exe Token: SeSystemEnvironmentPrivilege 4220 WMIC.exe Token: SeRemoteShutdownPrivilege 4220 WMIC.exe Token: SeUndockPrivilege 4220 WMIC.exe Token: SeManageVolumePrivilege 4220 WMIC.exe Token: 33 4220 WMIC.exe Token: 34 4220 WMIC.exe Token: 35 4220 WMIC.exe Token: 36 4220 WMIC.exe Token: SeIncreaseQuotaPrivilege 4220 WMIC.exe Token: SeSecurityPrivilege 4220 WMIC.exe Token: SeTakeOwnershipPrivilege 4220 WMIC.exe Token: SeLoadDriverPrivilege 4220 WMIC.exe Token: SeSystemProfilePrivilege 4220 WMIC.exe Token: SeSystemtimePrivilege 4220 WMIC.exe Token: SeProfSingleProcessPrivilege 4220 WMIC.exe Token: SeIncBasePriorityPrivilege 4220 WMIC.exe Token: SeCreatePagefilePrivilege 4220 WMIC.exe Token: SeBackupPrivilege 4220 WMIC.exe Token: SeRestorePrivilege 4220 WMIC.exe Token: SeShutdownPrivilege 4220 WMIC.exe Token: SeDebugPrivilege 4220 WMIC.exe Token: SeSystemEnvironmentPrivilege 4220 WMIC.exe Token: SeRemoteShutdownPrivilege 4220 WMIC.exe Token: SeUndockPrivilege 4220 WMIC.exe Token: SeManageVolumePrivilege 4220 WMIC.exe Token: 33 4220 WMIC.exe Token: 34 4220 WMIC.exe Token: 35 4220 WMIC.exe Token: 36 4220 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.execmd.exedescription pid process target process PID 3172 wrote to memory of 1600 3172 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3172 wrote to memory of 1600 3172 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 1600 wrote to memory of 4220 1600 cmd.exe WMIC.exe PID 1600 wrote to memory of 4220 1600 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"1⤵
- Modifies registry class