a222bdf089f24ea1da86f7a6a6335acff90fc329ee9e0f7a21003fa42624869e

Analysis

max time kernel
93s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SkyDriveSetup.exe
Size

4.9MB
MD5

6961f3aec7f861c65091b8fb35086561
SHA1

e3b0fb8d929898ad342002afa28cc265194efe90
SHA256

cc9d7f28a00c0782658cfa90cfa69baebbb056d1838011f30782d2e96e2979fb
SHA512

e0fb908d916647e0297e272ec1428f6b70e4538bfdc2e8a99f45308e3d73165661a0bc3ef1425e6e8ad3da3e321bea9f5a4e10dc4434aeb4d0addf34027464bb
SSDEEP

98304:2qfhtV37w74C0CJmzevREdhOXQTFB74unJSqqgw3LFkkEGr3ra:JfXVrw7RRE2gTgunJSYw3LiWra

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SkyDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SkyDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SkyDriveSetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	SkyDriveSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkyDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkyDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkyDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3364	SkyDriveSetup.exe
Token: SeRestorePrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeRestorePrivilege	4140	SkyDriveSetup.exe
Token: SeBackupPrivilege	4140	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	4140	SkyDriveSetup.exe
Token: SeBackupPrivilege	4140	SkyDriveSetup.exe
Token: SeBackupPrivilege	4140	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	2260	SkyDriveSetup.exe
Token: SeBackupPrivilege	3364	SkyDriveSetup.exe
Token: SeBackupPrivilege	3364	SkyDriveSetup.exe
Token: SeBackupPrivilege	3364	SkyDriveSetup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4140	3364	SkyDriveSetup.exe	88
PID 3364 wrote to memory of 4140	3364	SkyDriveSetup.exe	88
PID 3364 wrote to memory of 4140	3364	SkyDriveSetup.exe	88
PID 2260 wrote to memory of 4812	2260	SkyDriveSetup.exe	92
PID 2260 wrote to memory of 4812	2260	SkyDriveSetup.exe	92
PID 2260 wrote to memory of 4812	2260	SkyDriveSetup.exe	92
PID 4140 wrote to memory of 2164	4140	SkyDriveSetup.exe	93
PID 4140 wrote to memory of 2164	4140	SkyDriveSetup.exe	93
PID 4140 wrote to memory of 2164	4140	SkyDriveSetup.exe	93
PID 4140 wrote to memory of 1888	4140	SkyDriveSetup.exe	94
PID 4140 wrote to memory of 1888	4140	SkyDriveSetup.exe	94
PID 4140 wrote to memory of 1888	4140	SkyDriveSetup.exe	94
PID 2260 wrote to memory of 4820	2260	SkyDriveSetup.exe	96
PID 2260 wrote to memory of 4820	2260	SkyDriveSetup.exe	96
PID 2260 wrote to memory of 4820	2260	SkyDriveSetup.exe	96
PID 2260 wrote to memory of 1824	2260	SkyDriveSetup.exe	97
PID 2260 wrote to memory of 1824	2260	SkyDriveSetup.exe	97
PID 2260 wrote to memory of 1824	2260	SkyDriveSetup.exe	97
PID 3364 wrote to memory of 3324	3364	SkyDriveSetup.exe	98
PID 3364 wrote to memory of 3324	3364	SkyDriveSetup.exe	98
PID 3364 wrote to memory of 3324	3364	SkyDriveSetup.exe	98

C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe" C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe /permachine /silent /childprocess /cusid:S-1-5-21-1045960512-3948844814-3059691613-1000
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4140" "1504" "1424" "1508" "0" "0" "0" "0" "0" "0" "0" "0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2164
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4140" "1456" "1512" "1448" "0" "0" "0" "0" "0" "0" "0" "0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe
  C:\Users\Admin\AppData\Local\Temp\SkyDriveSetup.exe /peruser /childprocess
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1732" "1552" "1736" "0" "0" "0" "0" "0" "0" "0" "0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4812
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1864" "1968" "1744" "0" "0" "0" "0" "0" "0" "0" "0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4820
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2260" "1432" "1376" "1456" "0" "0" "0" "0" "0" "0" "0" "0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1824
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3364" "2060" "1628" "2064" "0" "0" "0" "0" "0" "0" "0" "0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAE5.tmp.xml

Filesize
4KB

MD5
376f34e683c01fcb18e6a1c53a4aa729

SHA1
5699751c8ab84f87cad18f8a1b16d365bada8185

SHA256
a87fcf3981c0cb1b45c117a25165b57a952c07b2b4028a2d419a0201850ba419

SHA512
ffb0de7534b1df4a5bfdb47dd6932d1c75219a72001ff7a316394a91e359e4ef849d431fe7c606660b4e6bb476c87adee15357d9812f1b412069a3d63e78f56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060323_d24-a44.log

Filesize
5KB

MD5
0cc60d8bd44228d857e867eea1b6a676

SHA1
ab912161ebe9fa34218f8921de92ac1be2a6609e

SHA256
2a9f0974472cfb7de77ef24ba0825494b312970f452e96708d4edbd5c9b3e53d

SHA512
23612e5e48d12abc8603e1100748e60860a2c46776e72954b7d678f39679f509a57fbd0a21438f6387681b2b5a6442b2b09117809db2a972e0914eb3d8ae0c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060323_d24-a44.log

Filesize
6KB

MD5
8d6f3dc7d6af3c0dcb22181806d1f37a

SHA1
6334135fb7982c51a53bc914f9e8adfc27a92492

SHA256
34337191e9276101d5fd019fd290aa9ab4292d79197dc3f94d2eff96fbca2cfe

SHA512
5b01481f5590bec71ee6d27722a1917709a51d6e4cb2bdce346dd33d396e533e6b5f15fb75e9e5a3f7bb765976a8ab1d49b9d87ad33407a8ee22b86764b21db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_102c-12e0.log

Filesize
7KB

MD5
06ef0d5a772e1cd0b5d91da5bb8d967b

SHA1
e0cc16ae175b73084f187e6016d3a163aa5dd979

SHA256
669b24c192e649e8253e7558b45c12ac70809f48f776fd8c75c9b318217a5c27

SHA512
5c14fff1dcbc24e56e656286f1962d16f6361b1803f1eb6a8830a92daa9b8f41a44cd41eed240821c9b1fbb7dbe43c49a738026303d0bd649393b7f4a4fa7376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_102c-12e0.log

Filesize
7KB

MD5
447a8da98ead495f2a90f812c8346731

SHA1
1f3c73d1eac52066061be914793170d406f8b6be

SHA256
3a8337851abeb97c2b484bd90f68ac2c284b080acc09400b1cbac59fa87c1108

SHA512
32094f600529a25839454a68875f2c60e2f66d27087b57b78adb755a6686c365eaae31212347e021902bf7ea3ed53d1a2f75973e575fa6ee3d144400e1f231e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log

Filesize
5KB

MD5
ef468d2e7e649c505b5beea8955c4333

SHA1
d2e28bc453180fd76d8d0a3ceb90523fb65eb887

SHA256
d8ce9ff6e3717f2c2538cf6213a03eed1744cb667b8e76dd122cf31c0e2bc990

SHA512
e80c14132b591fde65512c01653367740400cf13ff916a4c6d7a960f8abb09fa48ebf435107c04a850d9adb27147ce8c0708addad2112017d516f0a9b4894b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log

Filesize
6KB

MD5
b5026a1437f8304194ed6bf6123e758f

SHA1
16c35bc0402b1b3d28e2e76f683fbb6fb3645524

SHA256
4f6490a4ee7e4889ea58a3590b9947b843f0a351b9f001a7dc5e99323c817cc6

SHA512
2bb1f132caf6ed44c1bf9204ded9b8ab310124d0dfd491d5c8ff15794b4bec6e6a3f9cc4eaa9c23f04082b4e4db276d05eb6f7b0b0ff22f955750b9234dc9107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\setup\logs\2024-10-09_060324_8d4-1128.log

Filesize
7KB

MD5
716b9195294ea259133ce5fb1685c87a

SHA1
f2a38d12c739d1235e72fa4378d37e0f145fa989

SHA256
c4afabdfd5135e379c9e8cc14c2b6ac463b271795928ccc72506d66d820cee64

SHA512
f81743500d8c0a2d628fb8cbef24174576fcdb23c6a65fddca26f68bb3f2bacb43cf5ba7a2020e4ac61535ed3e29173c0dcdaecf77b8bf834d75eb264a7c588b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp

Filesize
4.0MB

MD5
77adb580cb498135d0a82cb549188b63

SHA1
3f34333dee14db56ef9e26b068aa910098942f4d

SHA256
bbef38f8e366fbe02d5e32a221dcec0aed2507a7b69c7bd862aa11c1cc754e49

SHA512
8c71d984e7efd06aeac65e35e7ee9ac5f6373b8be56447fe88e328ae84a301d74f7d2231efc9ca22801dfed29747ae69ffdc86f8d02aee019a9b0718cbc408d1

Download Submit
memory/2260-12-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads