de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4

General

Target

OpenSea-App_v2.1-setup.exe
Size

116.4MB
MD5

b188206887e0f25a50c50e1955413442
SHA1

3f4fcd1debd12586f712d694218339a7fd40c50b
SHA256

de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4
SHA512

94391442364c2e6a16a2fd0bd2384d0f21a56cd5a67faa7998511ebb55feb3e5a7915c603c2caaa8da79f8bdfc1490eb2a8f559546193977b239a2d133bf3624

Score

10^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 3 IoCs

Processes:

OpenSea-App_v2.1-setup.tmpOpenSea-App_v2.1-setup.tmpuniconverter.exe

pid process

1904 OpenSea-App_v2.1-setup.tmp
3548 OpenSea-App_v2.1-setup.tmp
2640 uniconverter.exe
Loads dropped DLL 1 IoCs

Processes:

uniconverter.exe

pid process

2640 uniconverter.exe

pid	process
1904	OpenSea-App_v2.1-setup.tmp
3548	OpenSea-App_v2.1-setup.tmp
2640	uniconverter.exe

pid	process
2640	uniconverter.exe

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

uniconverter.exe

pid process

2640 uniconverter.exe
2640 uniconverter.exe
2640 uniconverter.exe
2640 uniconverter.exe
2640 uniconverter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

388 timeout.exe

pid	process
2640	uniconverter.exe
2640	uniconverter.exe
2640	uniconverter.exe
2640	uniconverter.exe
2640	uniconverter.exe

pid	process
388	timeout.exe

Modifies data under HKEY_USERS 30 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUTtlZ6S5DAUSlRrmXzKeUMjH15hsOZgAAEBhMu5c9QZ3hQMQ781VDeBPgADjTsVJeSSb9Vjw4QtYAjFCA1Nuo7J+RY4z8PDqOq9lxEgCvEJ1cbb2i5lrVNAerSbI83MGs/txwDDzrfCGyxNV0ftj7JOIQE4DbUBONEundTSNHry7vq254usJeugDw6/OXg3aCcklHj/qcZeLIa8tkRrWZbkn2/+4Md//I1AXjURrZPY81olqZ+afjsE/fh5asTuNYAab9Zg5cTT6GWSa5rzAywiYnwVbi2+kvnr6vWsu354lEfzgEjkHNo3vJhG+H0sGkK8xqycn3xE0h/ukpN5jp9dkt8vEXC39CJck1GwE=&p="	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018C00372A10EBC"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00372A10EBC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000635dc147c9921f41a7655578079672e0000000000200000000001066000000010000200000007ff1c787223032a2006156df367edc0cd1aadfd4d37f08140a3be0c4ce40c8cc000000000e800000000200002000000070d33686b3412d2715b6be60b780583d5444c1d64c46637ecee2b310a0d2c15c80000000691d808b61cd300b51ad2271c51d40d60d5cece9a43b09e297d34c072e7d110c4aa0ec9ea6a3235c01b82360a5b6be98b951951f3fd19754e2c14ad1e5415321be5e3b5e8bcf7849d60398475f3db86a88370becf7be3660bffbaf9a5da0f5b1032ec505fa5dceb0a869cc8f9954707d12f7463b18b5ae6d9e01d5003ad1fdb0400000003ca765358e3faa77657f1001ed999327600a41a0264a183108874f42782186982b37677ab6999a9fe853b300f6ca0f7843af0d496d7f09be33cb6401e6c2a29d	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeC2RClient.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000635dc147c9921f41a7655578079672e000000000020000000000106600000001000020000000b3e74fd433422b6d0a142eb669a4dddd3df4fd3cc9d66c45517c1c3b659be235000000000e8000000002000020000000c7a31c2b75a9b6e5b214f986794141fd4a9112476c4d15ad206a564d8da90fc9f0030000de4ae5c4677dcea4e571e2b04b98738613e837ff8fb5398ba8c2c54b7f5092ef896c317ea374702e170cc241ca6b48a06e20081448b1a373d55c10f8320bdb3d08b0bddc685554d8bb745cbb1c0e5711de8c346e39bee07d064e034173c7f9bc7d7c97b24445d9bcbf477394ab7f43bff91e4666f0ab203d550a45b5f59a9d973783d4970ab5a811e691a4416d0673be0d71e6ee707f5600bd6c1a14cb6012252e7ec7424092d76e5d20bfa5840c8e12c5cb5fabdd0280e5a2bb4d5b4f62b5c0e46bfe4bdf035744ba2b824fe6b9ec5286a2b6d8333736fcfd8be760c6d9f6e05301c970267499010536417c724899cb3a6329fd8469d63accd7348d74e034e7d8590416c811dd4871f67b022bfc4679d4d72ff95db801f5452a908a17e982c917c278cbfbcc7079f7d90f2a5341fefe428f5be5daa1b8ea4bb75eb40f0d2e9ca07a8d36170aaf88445b5bb690d6ecada2c022212e4a1f8f31654d25ce39ce827d2562649f3d60f0d6530f7e5ee0c39a7dae2db7f359d83d6f477090993665cbebdcde75e1294d63ced1ae6d9b5a290adac539eb34005d28e91c61b8263ca6eb699104631c6cad0ca4037984ea757ea0a5be3c4e2db3cdba3fd49e0170034cda2a259ef57878b9de92b6b93e154daee71a2646e8cb6e4d20b0bfee75309e7059c4029ec6a7439ca256471fb6802ea7d274bb28b1f5a6101d548f38fbdb12c08ca5bf854614d4656e6f9c8059a1ba768aca7235a17e0ace1a8d8c5921f68c9b11dec686e2dec9300f751d85ec78f0ea3f84516c5dfa9c3adc49fb2b71c2aaf43792c48034728da2b426499c2a686ba511536dd9e7c3390ba4d91592e955940904caf731c4cab77c00193710afe6e601b09fc5c5ed888054c3c90e8acfce62c0f62c0906e8b3000016075f112f467530892e5bfb65d00d4315cf3f302e236292d3e9bbe435c944e1ac09dbb4eec7bdedadb60e31a8259c983f5c79dcd19c01c5f34f91bef9dc51e3a8a2a1306fb894ee34bbcb8a6edc5270b118282bf1920745367fa4b089b6b73dd0c79a97b90c281eada332cb2cb8d41a3b2c7c5618488597860831d921135fe71ddf053904af13f86174a12528a08d8e38c441b13a4cd7c496d6a8301d0fc451c7e2c4ac7c6edf1ed337c617baed4d97aad1634f52b37e000c7885f0341606e80d4c6bebd0834c07d22e3d123046c6913e6a550d9ee910ce8df35ffa108ced416dcb3f11e420012f799c00d6835a83ef706ec41017b72b99555a9cfe47417d274f55c3f1c9003f601b44ff154c1423f5254d1f374db26497e8cad593c774dd44a09ed9b6a162455fc0ea0ff7a6ebd3896b25dd9179ed3f30463966f93c60f3708033328c5a7c4e153c4f9901c1632ecabb287ad1a02fead87eb3485673d094d892ae90128a8ebd127c40000000284e6fac6ec8fa268c53fc1bb4d77a89a8876e65035222529aa5e34e7fe1818ac8d920ff701ee212c416bdf6f45b2595219293c4f08ef751600d5752e1c4cbd0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OpenSea-App_v2.1-setup.tmp

pid process

3548 OpenSea-App_v2.1-setup.tmp
3548 OpenSea-App_v2.1-setup.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uniconverter.exe

description pid process

Token: SeShutdownPrivilege 2640 uniconverter.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

OpenSea-App_v2.1-setup.tmp

pid process

3548 OpenSea-App_v2.1-setup.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

uniconverter.exeOfficeC2RClient.exe

pid process

2640 uniconverter.exe
2640 uniconverter.exe
3828 OfficeC2RClient.exe

pid	process
3548	OpenSea-App_v2.1-setup.tmp
3548	OpenSea-App_v2.1-setup.tmp

description	pid	process
Token: SeShutdownPrivilege	2640	uniconverter.exe

pid	process
3548	OpenSea-App_v2.1-setup.tmp

pid	process
2640	uniconverter.exe
2640	uniconverter.exe
3828	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

OpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpOpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpuniconverter.execmd.exe

description	pid	process	target process
PID 3564 wrote to memory of 1904	3564	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 3564 wrote to memory of 1904	3564	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 3564 wrote to memory of 1904	3564	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1904 wrote to memory of 1180	1904	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1904 wrote to memory of 1180	1904	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1904 wrote to memory of 1180	1904	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1180 wrote to memory of 3548	1180	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1180 wrote to memory of 3548	1180	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1180 wrote to memory of 3548	1180	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 3548 wrote to memory of 2640	3548	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 3548 wrote to memory of 2640	3548	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 3548 wrote to memory of 2640	3548	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 2640 wrote to memory of 3876	2640	uniconverter.exe	cmd.exe
PID 2640 wrote to memory of 3876	2640	uniconverter.exe	cmd.exe
PID 3876 wrote to memory of 388	3876	cmd.exe	timeout.exe
PID 3876 wrote to memory of 388	3876	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
"C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\is-9902S.tmp\OpenSea-App_v2.1-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9902S.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$30122,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
"C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
3⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\is-SF8B6.tmp\OpenSea-App_v2.1-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SF8B6.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$40122,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
"C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IVRd373e.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
7⤵
- Delays execution with timeout.exe
PID:388

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:1760

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IVRd373e.bat
MD5
58fdfc5b16e4bf836009305072835f8e

SHA1
ef6328465c3b907875314875d14ef3fae53911e5

SHA256
ca791b2d9b53a4b73699ae6d705218fe6bdcc0a3e3a930f160b00aca79891fd2

SHA512
b14f98b032885c78880a333705038a10de50727d24443379ca7044436073d829d6955e7b82e3fa29cf546088112f718ea7a54a4a75fa0fde694fb3f3e6b381a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9902S.tmp\OpenSea-App_v2.1-setup.tmp
MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SF8B6.tmp\OpenSea-App_v2.1-setup.tmp
MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
MD5
791791c0e466eb0a6af462a265074c9d

SHA1
db4e66209bd211ddc0378c0f62e644eb466cde0e

SHA256
187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

SHA512
badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\men
MD5
a6448d8d59e1745612001ce13359bb30

SHA1
40715399ee65505ae77adf615cc8ea0921e44956

SHA256
2739158b312b0c2185c3481586d3e9498cf1f9440ad8144deae3ffad9a491e85

SHA512
3eb5cadf18f31c059cb3335c7a7e07eda947760d37b424c60ea296c05c57e285caed879773d9ab901eaab48e3732a58bb9acb627d26d79a7e32836cb1078acc7

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
MD5
791791c0e466eb0a6af462a265074c9d

SHA1
db4e66209bd211ddc0378c0f62e644eb466cde0e

SHA256
187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

SHA512
badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

Download Submit
memory/388-136-0x0000000000000000-mapping.dmp

Download
memory/1180-120-0x0000000000000000-mapping.dmp

Download
memory/1180-124-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1904-123-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1904-118-0x0000000000000000-mapping.dmp

Download
memory/2640-128-0x0000000000000000-mapping.dmp

Download
memory/3548-127-0x0000000000730000-0x000000000087A000-memory.dmp

Filesize
1.3MB

Download
memory/3548-125-0x0000000000000000-mapping.dmp

Download
memory/3564-117-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3876-134-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads