Resubmissions
13/06/2024, 04:02
240613-el34ystdnf 5Analysis
-
max time kernel
1711s -
max time network
1710s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/06/2024, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
OfficeSetup (1).exe
Resource
win11-20240508-en
General
-
Target
OfficeSetup (1).exe
-
Size
7.2MB
-
MD5
bc1c2bf64412e8c95ffe1a13c767e0e8
-
SHA1
8b2f7c545b6aee74d487558c49a311245001024d
-
SHA256
cce00c8ec2aa5e3f7e01544ecaf24b67aec0f38c34f9b6514a2a4e3e52cbfef6
-
SHA512
5f1fdff19ff01f106024f5b61c7a5be6b334eaa7285dde3689bdb0c3312914c8ab7382f74aae40b367f5e6f8e51662aa68d94edc4f24c49720408c65ae1dae1a
-
SSDEEP
196608:enmy2EuQ72XY4njm7D4cYm1jFqGEWYHu1kwzadF2haI6HMaJTtGbD:eIEzyY4in45msW025
Malware Config
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OfficeSetup (1).exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OfficeSetup (1).exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627251275285542" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3892 chrome.exe 3892 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2008 OfficeSetup (1).exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3892 wrote to memory of 4528 3892 chrome.exe 96 PID 3892 wrote to memory of 4528 3892 chrome.exe 96 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2460 3892 chrome.exe 97 PID 3892 wrote to memory of 2756 3892 chrome.exe 98 PID 3892 wrote to memory of 2756 3892 chrome.exe 98 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99 PID 3892 wrote to memory of 1440 3892 chrome.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\OfficeSetup (1).exe"C:\Users\Admin\AppData\Local\Temp\OfficeSetup (1).exe"1⤵
- Checks system information in the registry
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4088
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:3008
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2740
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffc832ab58,0x7fffc832ab68,0x7fffc832ab782⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:22⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:82⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:82⤵PID:1440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:1688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:3624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3516 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:82⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:82⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4872 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4824 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3356 --field-trial-handle=1920,i,13726800056230339464,11297865446433512958,131072 /prefetch:12⤵PID:4948
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
811B
MD5aa1dac24c27a90ddd1eaaa07418ee3ac
SHA10b20c6796ba9c4d44fd44507b178a9b8d735272c
SHA25614f2d41ee95e1c725ad18db867df5090e5a980d285d3839c618294af4683f1f9
SHA512351ce70154aac2b91c677a0c36c04e724a39f819f585a5cdd90c82b92ddd87737ee10b7b33d61325c7e39776e56a70de35da5f9856da3ea9f1306a43c82fb995
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD56e290ce368e1e24825f42470b109aa5c
SHA16e57c42058f6d461d8786e47efa2baa1af323636
SHA2569af96af05566ba15c830674704a0cbc98d0c7e850041d0ba22969207ddf33b51
SHA512a66a8094337fc9ff3be2ac22eafb08b1edef0765376546f29ed21800e6fb09c5f8ea9e4fa12bbd756179c67ae1c1cf33f9a26ab8c1244c4ebbc682d254ef02a7
-
Filesize
7KB
MD5821f61e5bba2fa1e609175cc2af44207
SHA1b57cb9348a3d66272e2c7f151bc277bc794dd97c
SHA25691941b7e8f1ea5597f6711d2649a1b9813b377f64c0683dcf112b432bdc4e130
SHA512f948f6102929a645788ec854bc9ebb3c5b5b8b9da4d04b46363ecac8a0e9b0093ffa37d1afe7d098397ff6714c95f1756f9702e8ff18c62bc4369d8a1d2ca355
-
Filesize
129KB
MD596e8e58a0e28eab33b76f4e4e2615b6f
SHA148be5ef7258742cb3df2949c6cff6d6834104af3
SHA25675cd0d82d195b650db524e8ee5863579cc673523756189fc43976212a72eed6e
SHA5121c4e20e36375aeb44f8c1faa33f686950f9c59733afba00286ed6fdae977f81d155bb2b1798a454970fb5cb6b40c685ff5d174ba921449204cd36f1031f285d6
-
Filesize
129KB
MD5fbc2af990670ba6dc96ce78fe14720a5
SHA165a6f9be7dd9c5aa301f1edb352b407d0e87e9fb
SHA25645e0b5efafa3c9f3758eb191af8c506ed2c3d798632fe9fb0e9883e000dbece0
SHA5125a08be943411f4dab90ad892a7004178882a253f731cc8dd8afb94dd50c55d2da9f413f626a0c92889fb8d1e66e727fb16424e1fdb13d4a4740deb03665e24ad
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58