e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de

General

Target

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
Size

860KB
MD5

d446cc682dc1aaf3811524d796e9c10c
SHA1

6e75979cd990273413d1e20fe45a3e1d73422b77
SHA256

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de
SHA512

ff8db73394fb966f403423ee52fa0155430effe8544ad376799fb812d7cc55805c7beb7ba85b6e74c3ae3116592376f1abe6465a6b6730f7cb926523817160e4
SSDEEP

24576:7Tvtt6UDKwny3EAV1xnDwdfJj50jscibFo1:H1vy0qTohj5pN

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iwdefender.exe

pid process

3052 iwdefender.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iwdefender.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	iwdefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\iwdefender.exe"	iwdefender.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iwdefender.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\R:	iwdefender.exe
File opened (read-only)	\??\X:	iwdefender.exe
File opened (read-only)	\??\F:	iwdefender.exe
File opened (read-only)	\??\H:	iwdefender.exe
File opened (read-only)	\??\I:	iwdefender.exe
File opened (read-only)	\??\L:	iwdefender.exe
File opened (read-only)	\??\M:	iwdefender.exe
File opened (read-only)	\??\Q:	iwdefender.exe
File opened (read-only)	\??\G:	iwdefender.exe
File opened (read-only)	\??\O:	iwdefender.exe
File opened (read-only)	\??\P:	iwdefender.exe
File opened (read-only)	\??\U:	iwdefender.exe
File opened (read-only)	\??\W:	iwdefender.exe
File opened (read-only)	\??\K:	iwdefender.exe
File opened (read-only)	\??\N:	iwdefender.exe
File opened (read-only)	\??\T:	iwdefender.exe
File opened (read-only)	\??\V:	iwdefender.exe
File opened (read-only)	\??\Y:	iwdefender.exe
File opened (read-only)	\??\E:	iwdefender.exe
File opened (read-only)	\??\J:	iwdefender.exe
File opened (read-only)	\??\S:	iwdefender.exe
File opened (read-only)	\??\Z:	iwdefender.exe
File opened (read-only)	\??\D:	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

iwdefender.exe

description ioc process

File opened for modification \??\PhysicalDrive0 iwdefender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	iwdefender.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2368	3052	WerFault.exe	iwdefender.exe
1928	3052	WerFault.exe	iwdefender.exe
4684	3052	WerFault.exe	iwdefender.exe
2156	3052	WerFault.exe	iwdefender.exe
4704	3052	WerFault.exe	iwdefender.exe
4768	3052	WerFault.exe	iwdefender.exe
1664	3052	WerFault.exe	iwdefender.exe
3180	3052	WerFault.exe	iwdefender.exe
1908	3052	WerFault.exe	iwdefender.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4060001867-1434967833-2212371794-1000\{7E399A49-DB5E-4A83-AB16-E3B865F7CCC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exeiwdefender.exe

pid	process
2720	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
2720	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

pid process

2720 e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeCreatePagefilePrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeCreatePagefilePrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeCreatePagefilePrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeCreatePagefilePrivilege	1276	explorer.exe
Token: SeShutdownPrivilege	1276	explorer.exe
Token: SeCreatePagefilePrivilege	1276	explorer.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

iwdefender.exesihost.exeexplorer.exesihost.exe

pid	process
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
224	sihost.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
3052	iwdefender.exe
324	sihost.exe
1276	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

iwdefender.exeexplorer.exe

pid	process
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
3052	iwdefender.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
1276	explorer.exe
3052	iwdefender.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iwdefender.exeOfficeClickToRun.exeOfficeClickToRun.exe

pid process

3052 iwdefender.exe
3052 iwdefender.exe
4508 OfficeClickToRun.exe
4756 OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exesihost.exe

description	pid	process	target process
PID 2720 wrote to memory of 3052	2720	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 2720 wrote to memory of 3052	2720	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 2720 wrote to memory of 3052	2720	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 224 wrote to memory of 1276	224	sihost.exe	explorer.exe
PID 224 wrote to memory of 1276	224	sihost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
"C:\Users\Admin\AppData\Local\Temp\e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2720

C:\ProgramData\iwdefender.exe
C:\ProgramData\iwdefender.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 688
3⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 892
3⤵
- Program crash
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1164
3⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1196
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1296
3⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1312
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1304
3⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1304
3⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1332
3⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3052 -ip 3052
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3052 -ip 3052
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3052 -ip 3052
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3052 -ip 3052
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3052 -ip 3052
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3052 -ip 3052
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3052 -ip 3052
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3052 -ip 3052
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3052 -ip 3052
1⤵
PID:1072

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1276

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iwdefender.exe

Filesize
827KB

MD5
abd57435cadec1d2a1457de28e2a824d

SHA1
dfbf66fdb7adc4bc32cd3e32eb6a686d263d2793

SHA256
55c9c59928ecd307250f16642ae1e2abab9b71d9b04d2867b99135d7753b7eb3

SHA512
2459d411c142a017233c68c873ccc5d320a074b7c7398aa00e9a1ba2ecda5ca0b35bda3411fde8eaf0424a9aa01aa0e38c8784626e807601c7447106f180d322

Download Submit
C:\ProgramData\iwdefender.exe

Filesize
827KB

MD5
abd57435cadec1d2a1457de28e2a824d

SHA1
dfbf66fdb7adc4bc32cd3e32eb6a686d263d2793

SHA256
55c9c59928ecd307250f16642ae1e2abab9b71d9b04d2867b99135d7753b7eb3

SHA512
2459d411c142a017233c68c873ccc5d320a074b7c7398aa00e9a1ba2ecda5ca0b35bda3411fde8eaf0424a9aa01aa0e38c8784626e807601c7447106f180d322

Download Submit
C:\Users\Public\Desktop\Internet Security PRO.lnk

Filesize
695B

MD5
438b43744afb68e84a7c7e3cbb78c68c

SHA1
ad3242db8774da241aefe99bd6e31363d5bff240

SHA256
caddefc75e3a88e006fc584c148c6825b11c7b19b29225f97ae6b96dbc1677ab

SHA512
e3f1e68902f41111149c23b33b56bf1863f1351d4e015bbdd7f824a066aa389cf608b95bacbfe5296eb74b1e024755fe8c9589b4ef79156f000f5ed5683c9006

Download Submit
memory/1276-141-0x0000000000000000-mapping.dmp

Download
memory/2720-132-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2720-133-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3052-134-0x0000000000000000-mapping.dmp

Download
memory/3052-137-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download
memory/3052-139-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download
memory/3052-140-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads