Overview

overview

10

Static

static

OneDriveSetup.exe

windows7-x64

1

OneDriveSetup.exe

windows10-1703-x64

10

OneDriveSetup.exe

windows10-2004-x64

10

OneDriveSetup.exe

android-10-x64

OneDriveSetup.exe

android-11-x64

OneDriveSetup.exe

android-9-x86

OneDriveSetup.exe

macos-10.15-amd64

1

OneDriveSetup.exe

debian-9-armhf

OneDriveSetup.exe

debian-9-mips

OneDriveSetup.exe

debian-9-mipsel

OneDriveSetup.exe

ubuntu-18.04-amd64

Resubmissions

17-03-2024 09:03

240317-kz93babd61 8

02-02-2023 07:25

230202-h81h5ahc9z 10

01-02-2023 00:33

230201-av97eabb24 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OneDriveSetup.exe

  • Size

    48.0MB

  • Sample

    230202-h81h5ahc9z

  • MD5

    1382660b084b8791b400739542442783

  • SHA1

    3ecbe73642812498f3e4fad5dc47f8a9573fd4fb

  • SHA256

    48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c

  • SHA512

    8d49071449384678794a0188bad7b3cdfb2c90e11b36b5923b38362dbf21fb98188f5eafc5d5b41f6dfc8ed5d88335600a17c044af05f1afa8a989d86c7463f2

  • SSDEEP

    786432:2QAM/bg9LA622CSAqL7Xis205pR40RKBVLiRIBqVbCj1/IwInTVk0:26D2NlbF5pHKQXbCJ/IA0

Score
10/10
adwareandroiddiscoverylinuxmacospersistencestealer

Malware Config

Targets

    • Target

      OneDriveSetup.exe

    • Size

      48.0MB

    • MD5

      1382660b084b8791b400739542442783

    • SHA1

      3ecbe73642812498f3e4fad5dc47f8a9573fd4fb

    • SHA256

      48a181bb27dcdffbf2d467e6004a40677b68d2d07399dd87f5ee0a2b51e5837c

    • SHA512

      8d49071449384678794a0188bad7b3cdfb2c90e11b36b5923b38362dbf21fb98188f5eafc5d5b41f6dfc8ed5d88335600a17c044af05f1afa8a989d86c7463f2

    • SSDEEP

      786432:2QAM/bg9LA622CSAqL7Xis205pR40RKBVLiRIBqVbCj1/IwInTVk0:26D2NlbF5pHKQXbCJ/IA0

    Score
    10/10
    discoverypersistenceadwarestealer

    • Modifies system executable filetype association

      persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Registers COM server for autorun

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral10behavioral11behavioral2behavioral3behavioral4behavioral5behavioral6behavioral7behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

4
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

8
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks