Overview
overview
10Static
static
e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows11_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10_x64 -
resource
win10-de-20210920 -
submitted
05-10-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win11
Behavioral task
behavioral5
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-de-20210920
General
-
Target
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
-
Size
1.6MB
-
MD5
520d488564da102f5482fcfdcdbd266a
-
SHA1
45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
-
SHA256
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
-
SHA512
e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Registers COM server for autorun 1 TTPs
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnblockAssert.tiff e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\WatchSubmit.crw => C:\Users\Admin\Pictures\WatchSubmit.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\DisconnectCheckpoint.png => C:\Users\Admin\Pictures\DisconnectCheckpoint.png.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Users\Admin\Pictures\EnableDisconnect.tiff e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\SwitchComplete.crw => C:\Users\Admin\Pictures\SwitchComplete.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\SendInitialize.png => C:\Users\Admin\Pictures\SendInitialize.png.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\EnableDisconnect.tiff => C:\Users\Admin\Pictures\EnableDisconnect.tiff.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\PublishUnlock.tif => C:\Users\Admin\Pictures\PublishUnlock.tif.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tif => C:\Users\Admin\Pictures\RenameRestart.tif.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\WriteExit.raw => C:\Users\Admin\Pictures\WriteExit.raw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromMount.tiff e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\ConvertFromMount.tiff => C:\Users\Admin\Pictures\ConvertFromMount.tiff.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\SplitStep.crw => C:\Users\Admin\Pictures\SplitStep.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\ConfirmBackup.crw => C:\Users\Admin\Pictures\ConfirmBackup.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\ResumeGroup.crw => C:\Users\Admin\Pictures\ResumeGroup.crw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\UnblockAssert.tiff => C:\Users\Admin\Pictures\UnblockAssert.tiff.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Drops startup file 1 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\preloaded_data.pb e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\et\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\plugin.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Modifies registry class 44 IoCs
Processes:
FileSyncConfig.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" FileSyncConfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exepid process 3428 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe 3428 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1392 vssvc.exe Token: SeRestorePrivilege 1392 vssvc.exe Token: SeAuditPrivilege 1392 vssvc.exe Token: SeIncreaseQuotaPrivilege 1368 WMIC.exe Token: SeSecurityPrivilege 1368 WMIC.exe Token: SeTakeOwnershipPrivilege 1368 WMIC.exe Token: SeLoadDriverPrivilege 1368 WMIC.exe Token: SeSystemProfilePrivilege 1368 WMIC.exe Token: SeSystemtimePrivilege 1368 WMIC.exe Token: SeProfSingleProcessPrivilege 1368 WMIC.exe Token: SeIncBasePriorityPrivilege 1368 WMIC.exe Token: SeCreatePagefilePrivilege 1368 WMIC.exe Token: SeBackupPrivilege 1368 WMIC.exe Token: SeRestorePrivilege 1368 WMIC.exe Token: SeShutdownPrivilege 1368 WMIC.exe Token: SeDebugPrivilege 1368 WMIC.exe Token: SeSystemEnvironmentPrivilege 1368 WMIC.exe Token: SeRemoteShutdownPrivilege 1368 WMIC.exe Token: SeUndockPrivilege 1368 WMIC.exe Token: SeManageVolumePrivilege 1368 WMIC.exe Token: 33 1368 WMIC.exe Token: 34 1368 WMIC.exe Token: 35 1368 WMIC.exe Token: 36 1368 WMIC.exe Token: SeIncreaseQuotaPrivilege 1368 WMIC.exe Token: SeSecurityPrivilege 1368 WMIC.exe Token: SeTakeOwnershipPrivilege 1368 WMIC.exe Token: SeLoadDriverPrivilege 1368 WMIC.exe Token: SeSystemProfilePrivilege 1368 WMIC.exe Token: SeSystemtimePrivilege 1368 WMIC.exe Token: SeProfSingleProcessPrivilege 1368 WMIC.exe Token: SeIncBasePriorityPrivilege 1368 WMIC.exe Token: SeCreatePagefilePrivilege 1368 WMIC.exe Token: SeBackupPrivilege 1368 WMIC.exe Token: SeRestorePrivilege 1368 WMIC.exe Token: SeShutdownPrivilege 1368 WMIC.exe Token: SeDebugPrivilege 1368 WMIC.exe Token: SeSystemEnvironmentPrivilege 1368 WMIC.exe Token: SeRemoteShutdownPrivilege 1368 WMIC.exe Token: SeUndockPrivilege 1368 WMIC.exe Token: SeManageVolumePrivilege 1368 WMIC.exe Token: 33 1368 WMIC.exe Token: 34 1368 WMIC.exe Token: 35 1368 WMIC.exe Token: 36 1368 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.execmd.exedescription pid process target process PID 3428 wrote to memory of 2892 3428 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3428 wrote to memory of 2892 3428 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 2892 wrote to memory of 1368 2892 cmd.exe WMIC.exe PID 2892 wrote to memory of 1368 2892 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"1⤵
- Modifies registry class