e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

Analysis

max time kernel
79s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19/04/2022, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
Size

7.4MB
MD5

1cf5dd5e5b0074edcba997bb52ca95ca
SHA1

aa64c566f081986367b805ce3093f188b7fa9af8
SHA256

e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d
SHA512

7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-100_contrast-white.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker20.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-black.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-100.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\Logo.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileOneNote32x32.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-100.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-200_contrast-white.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\WideTile.scale-125.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\12.jpg	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-150.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\tab_mru_darktheme.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-light.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-125.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-200.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-white.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-100_contrast-white.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow_black.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileForms32x32.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-white.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated_contrast-white.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-150.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-200.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-150.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-16_altform-unplated.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-150.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated_contrast-white.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-400.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_contrast-black.png.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WideTile.scale-100.png	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.zhen	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
2360	taskkill.exe
4012	taskkill.exe
3184	taskkill.exe
1272	taskkill.exe
3612	taskkill.exe
3348	taskkill.exe
4112	taskkill.exe

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4736	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
4968	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2696	4736	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	79
PID 4736 wrote to memory of 2696	4736	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	79
PID 4736 wrote to memory of 2696	4736	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	79
PID 2696 wrote to memory of 1272	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	85
PID 2696 wrote to memory of 1272	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	85
PID 2696 wrote to memory of 1272	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	85
PID 2696 wrote to memory of 3612	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	87
PID 2696 wrote to memory of 3612	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	87
PID 2696 wrote to memory of 3612	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	87
PID 2696 wrote to memory of 3348	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	89
PID 2696 wrote to memory of 3348	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	89
PID 2696 wrote to memory of 3348	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	89
PID 2696 wrote to memory of 4112	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	91
PID 2696 wrote to memory of 4112	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	91
PID 2696 wrote to memory of 4112	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	91
PID 2696 wrote to memory of 2360	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	92
PID 2696 wrote to memory of 2360	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	92
PID 2696 wrote to memory of 2360	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	92
PID 2696 wrote to memory of 4012	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	93
PID 2696 wrote to memory of 4012	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	93
PID 2696 wrote to memory of 4012	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	93
PID 2696 wrote to memory of 3184	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	96
PID 2696 wrote to memory of 3184	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	96
PID 2696 wrote to memory of 3184	2696	e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe	96

C:\Users\Admin\AppData\Local\Temp\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
"C:\Users\Admin\AppData\Local\Temp\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736
- C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
  C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM ora*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM tns*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM postgres*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3184

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Filesize
7.4MB

MD5
1cf5dd5e5b0074edcba997bb52ca95ca

SHA1
aa64c566f081986367b805ce3093f188b7fa9af8

SHA256
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

SHA512
7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

Download Submit
C:\ProgramData\e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d.exe

Filesize
7.4MB

MD5
1cf5dd5e5b0074edcba997bb52ca95ca

SHA1
aa64c566f081986367b805ce3093f188b7fa9af8

SHA256
e693ba3857027dd1c9e234dcadd35e76a96b2fa9b34a618f2b4a2b3b9403cf2d

SHA512
7373691c3a14fe7c4bfcbee3c9e0cf671a06ebe2ddfb011bca34e71edf2593cdd47ec08d32d0d46974da5a40ddf1d86c033574612756a308507dd9e7796c8134

Download Submit