Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 10:11
Behavioral task
behavioral1
Sample
78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe
Resource
win10v2004-20220812-en
General
-
Target
78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe
-
Size
42KB
-
MD5
c84a88c6676ad0d3c8330c8d95324e1d
-
SHA1
4f2277a86825bba3917290fd95416210c5ca6a4a
-
SHA256
78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7
-
SHA512
4df47dffa0e1be95ac7c33f5d4707abaf24a20224262f3ced41f06b79696d2d83cb8d175f7112c004ff1a5e05d7c5ad40dededd786be33e7b9672c30ed84230a
-
SSDEEP
768:8O1oR/YVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzD8hOT11+2p1tK5v6:8ES1FKnDtkuIm8S82HMy
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3436 created 4960 3436 svchost.exe 79 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 3296 wbadmin.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A7891822FCFF127E4EADADE9757112B OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A7891822FCFF127E4EADADE9757112B OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-black.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-125_contrast-black.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Microsoft.IoT.Cortana.winmd 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\+README-WARNING+.txt 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\+README-WARNING+.txt 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-125.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72_altform-unplated.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\FindClose.wvx 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-100.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\+README-WARNING+.txt 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\management.properties 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\+README-WARNING+.txt 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-100_contrast-white.png 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4120 vssadmin.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 19 Sep 2022 10:14:09 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6089046fe1a644da29b782e15951e8d00000000020000000000106600000001000020000000317191c83c9e9d8af596efbc0f6e0b5748ec3134c83b7ef912d1d1b77fec3328000000000e80000000020000200000009cdf66d1b76662fc495be5369f11a8039ad3afea6f53753a4db4740e7cceba91f00300004dc88494fcd7462b132dd0a4a54ecf671d9d2fbdeec8e3dac59f58855061b86fb9319424ec18a2b39f1d9a5d07206075e71da7b85fa7143a802033904fc7345b82975d6cec77b05bc7441f8ec8e4ddab4e7e8a27a778fa6616923829496a39d3b2da6b8788a71d19cc0c21ed8ece4b30c8a43ad92d2b50b3edf9415071e469d17864cfdfeeb93caca313a6791930b2fa9fc64f9dc695179ef1c184bd998433680a034d0f64cd8bcb40092755c2fedbdd58da9173bfc1d9293cee3313a6d0421d641842116642944ee02b4e2955c1a4c5e3cff820b276fe7dcef1ff99584545078f291c8cfe6327dcf5762feda2e6d3d235fc39b417e4acf50f78880a8a44049d912b0e3502d8725c14c683b3dce3002bdadaaadbb12ceb7de1cc4fe52adfd0c8d0619685ab7fae936ff7733dc22687b0342cfee14c00ecb2cadef5a5126929e63c8e27014ddbfa939e46c688d6aaa5f8357b8be20752d793d1413020ac1435df3d785ad282a123723da00f6d21b5c42defc2eee332d25adf0c1ea9e1a8063c7fc5ae108e5c2c529f8f1dcd9a93b46a9899e957161c1c5e1bad5745093064b80b5302f6a80f45b59bf16655ca63cf1cbd8914b8a12b725596f311d46a7f1fa42acc77980ce8cfa48028eedc3135a450b485edda57c92a7a0953a09171620f492ce94a1c222a24ed7a5048bffa31a9c8dedf7b3c03841ccaf188b81579fe3db6c6d9396cdad92db614902f3ee8bb22bfc2ffa6d483100fe9c5194f3560adf61916942537f2ea88c31336eadff8777f43e9edcd0f71b6da03c33fc592dab69c3825ff87fdaa841ba36f5e7882ea022f944a86af3702aadf7e22f579847be96abebf0a583b040791f81bced530954cf66e12749aeed7956f7b237b5ce1818b3ad1dc8a8f4a7959540e4a0ca372f3e7966af8d370e24367173852fdf38cb06e4c1dc966feb0fa85f367b0ae0dd41b09968eec32fda6d60a1b34b60dd49ee8c982897124f204c9ae68669b22591ed18f41f8a7a36cf5f9e715b92f6fc93cd03ed6c01b79fe4cfe8a137813b893d9238e7ad28d23d7e12055a857751e4f615422230bc39c1c68cbf8d35ce32ef01e92b0fd7b34dd13f68af71ac9575e9f31fa441856a7976f30e5d3438db368804f580e67b57a171830af7515d4f7b76190ef8ef30cd026829458e025db3c132f48cfd4c309b1158cbc8b828b07d50db9898faf491367fff13d7d45650cd1470a2a5ff2dfb484b58567d827c732123b1d8e98ad1ce7aaffff01da7d299141cde802b0d337287fcd24ea086ce426d79dfc3b2ad2ec2812ce270b4a63bdc513c60a0f69c3ffd65827d1d0066f41b2ba48c69e58e7c87f233d23c56c66371acfdc4e84096735c012f5a65bb0eb64f73ede34212554ae9b4eb4c4f92ce292e58caae05d4fe722eab140000000dfaaa95cad80d0851e555db7fe0b3f14c73d30b7baee8a4f5077623a651c8955771fb81dd69709571e545e3385b120318be83f1033ee95afda36ef2bfdbd3c36 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1663589648" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={027BB38E-B345-4C9C-AB49-EF6BE6ABE408}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018C0064399EC85" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C0064399EC85 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6089046fe1a644da29b782e15951e8d00000000020000000000106600000001000020000000082fd22d67506c43391ea942faab31cbba963b3190022e1de7b9cd3d9a2a4ccc000000000e8000000002000020000000c40793a4e01223a9c766893d6799369aa94d35716775914cf80d7121bd8a404f8000000064e2a2fa2cc2f36aa391d445b6d3b6ba50e64efa9424b90060dad456cce7f51b934aeb3fe0bd97b1e777e2bd21eb717354140032cfa18632eb320e0b8781e752fee2c4d4d726f7bb6905859c09cd77d42a4f8e1c13c433a5f7e5ee550225ec671e68fbcb00bca71944c911a0ca15ad04236227764a82c1b1cee793913d5790ef400000007dedd96b31d9897baac9633f762a0732c87dc4d1c4eee4d587d5be709a8b1895a5b54f1e7fe8fe8a7da856a7bc058846fedef6c53fd40898d240abb20120438d OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUKFVEGReoCdHdlh1TorgVuqX+P2gOZgAAEIDE8v2HxAlDb0YijPC5GHXgALdTdzkbE01VdNch9juTDF+m8vFvei8R8p2hAPxbz3c6WkwaCoMPxDCREo40DTGD/UbpbJEzTBx6XHhgmdIBiv22QjKxiJ8nDZ9cjaPPMjDgE69bYuwZYVpHpN3AjccY8UsGbz1Lj0WENgghhwutAI9+ZhX9y6283mcK/egyQvRPuZTn1BMZpJsM/Sc5XFQZkjZKEIqq5A6PRv7Q4shNZVtDKrY+k7js0FkU02+OZd2+oFiaH5rFVEkma/o+0onozUprCrHmf5aROtj75zf4lj0j9FjOYXJEubbgjAf2f7mIHQE=&p=" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4960 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe 4960 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTcbPrivilege 3436 svchost.exe Token: SeTcbPrivilege 3436 svchost.exe Token: SeBackupPrivilege 1660 vssvc.exe Token: SeRestorePrivilege 1660 vssvc.exe Token: SeAuditPrivilege 1660 vssvc.exe Token: SeBackupPrivilege 1556 wbengine.exe Token: SeRestorePrivilege 1556 wbengine.exe Token: SeSecurityPrivilege 1556 wbengine.exe Token: SeIncreaseQuotaPrivilege 4636 WMIC.exe Token: SeSecurityPrivilege 4636 WMIC.exe Token: SeTakeOwnershipPrivilege 4636 WMIC.exe Token: SeLoadDriverPrivilege 4636 WMIC.exe Token: SeSystemProfilePrivilege 4636 WMIC.exe Token: SeSystemtimePrivilege 4636 WMIC.exe Token: SeProfSingleProcessPrivilege 4636 WMIC.exe Token: SeIncBasePriorityPrivilege 4636 WMIC.exe Token: SeCreatePagefilePrivilege 4636 WMIC.exe Token: SeBackupPrivilege 4636 WMIC.exe Token: SeRestorePrivilege 4636 WMIC.exe Token: SeShutdownPrivilege 4636 WMIC.exe Token: SeDebugPrivilege 4636 WMIC.exe Token: SeSystemEnvironmentPrivilege 4636 WMIC.exe Token: SeRemoteShutdownPrivilege 4636 WMIC.exe Token: SeUndockPrivilege 4636 WMIC.exe Token: SeManageVolumePrivilege 4636 WMIC.exe Token: 33 4636 WMIC.exe Token: 34 4636 WMIC.exe Token: 35 4636 WMIC.exe Token: 36 4636 WMIC.exe Token: SeIncreaseQuotaPrivilege 4636 WMIC.exe Token: SeSecurityPrivilege 4636 WMIC.exe Token: SeTakeOwnershipPrivilege 4636 WMIC.exe Token: SeLoadDriverPrivilege 4636 WMIC.exe Token: SeSystemProfilePrivilege 4636 WMIC.exe Token: SeSystemtimePrivilege 4636 WMIC.exe Token: SeProfSingleProcessPrivilege 4636 WMIC.exe Token: SeIncBasePriorityPrivilege 4636 WMIC.exe Token: SeCreatePagefilePrivilege 4636 WMIC.exe Token: SeBackupPrivilege 4636 WMIC.exe Token: SeRestorePrivilege 4636 WMIC.exe Token: SeShutdownPrivilege 4636 WMIC.exe Token: SeDebugPrivilege 4636 WMIC.exe Token: SeSystemEnvironmentPrivilege 4636 WMIC.exe Token: SeRemoteShutdownPrivilege 4636 WMIC.exe Token: SeUndockPrivilege 4636 WMIC.exe Token: SeManageVolumePrivilege 4636 WMIC.exe Token: 33 4636 WMIC.exe Token: 34 4636 WMIC.exe Token: 35 4636 WMIC.exe Token: 36 4636 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3920 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 3436 wrote to memory of 5112 3436 svchost.exe 81 PID 4960 wrote to memory of 2068 4960 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe 82 PID 4960 wrote to memory of 2068 4960 78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe 82 PID 2068 wrote to memory of 4120 2068 cmd.exe 84 PID 2068 wrote to memory of 4120 2068 cmd.exe 84 PID 2068 wrote to memory of 3296 2068 cmd.exe 87 PID 2068 wrote to memory of 3296 2068 cmd.exe 87 PID 2068 wrote to memory of 4636 2068 cmd.exe 91 PID 2068 wrote to memory of 4636 2068 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe"C:\Users\Admin\AppData\Local\Temp\78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe"C:\Users\Admin\AppData\Local\Temp\78c11a0feca2fb59e2e8db85cf5052508347a66cb28ddaa5aac5ae4ba8b96ea7.exe" n49602⤵PID:5112
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4120
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3296
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:256
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:204
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3920