9f1eb0a100615cdda44a13f434627f8978d133ca4ef4a002809f95dcc8d24ff6 | Triage

Sharing

General

Target

onedrivephotos.iso
Size

4.5MB
Sample

230616-zsh3ksgf96
MD5

154a9b7e0160021ad53db044ee679ecd
SHA1

08961d44f7e8bb1ed9ddab1e13f9f88fd2da78b0
SHA256

9f1eb0a100615cdda44a13f434627f8978d133ca4ef4a002809f95dcc8d24ff6
SHA512

080a619aa4746b4c6a0cd0888371b990fd0cb7782bbbf38f9a88c7afb8a93ea0cab7b282a1e3351a76413aede0cb61205cd4d4c81769a0746551f9aa3511d868
SSDEEP

49152:6EenBpKLBz+dV0LWUEur5XVmy1rVaou58gZbkT3FjNVcXrkj6B+/T+k54Q1WUw4:7VlH0MAQj8k5d1

Score

8^/10

discovery persistence

Malware Config

Targets

- Target
  
  onedrive-photos.lnk
- Size
  
  2KB
- MD5
  
  63b00ce296162a6627510741598d0255
- SHA1
  
  f795d55bcb1dae240e6d26644f80d1691618bf1a
- SHA256
  
  3115d69184d66d8e588a60b94a250dd51209e894660641ca316560ae918779eb
- SHA512
  
  75ffecb5c80db028cbcb78f7fc3c6a015930cc1e162cbf55040f208758e875cc212b9411c6e9d6a5928fb79e4dbf4a13057b066f08c6c89bac0a1201334c1a2b
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  onedriveupdater.exe
- Size
  
  4.0MB
- MD5
  
  792e95b64b9cf45ac8bc10d4d0f077c2
- SHA1
  
  e50af7ee7e0a323d8aa60b6d9b3d39ab33b004f5
- SHA256
  
  60e64dd2c6d2ac6fe9b498fadac81bc34a725de5d893e7df8b2728d8dc5b192d
- SHA512
  
  5064c1a64fa0bd5a31b205d8b34cb85cc3da7091dd2412421f6394d42b9a596430b67ea4d05129912ad942458198280a3a69409388d2413072c53d928de70e86
- SSDEEP
  
  49152:3EenBpKLBz+dV0LWUEur5XVmy1rVaou58gZbkT3FjNVcXrkj6B+/T+k54Q1Wb:6VlH0MAQj8k5d18
Score

8^/10

discovery persistence
- Downloads MZ/PE file
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral3 behavioral4
- Target
  
  version.dll
- Size
  
  80KB
- MD5
  
  b8e605ae7535341bbcdee7a09639854f
- SHA1
  
  871e10df7f4beec98c868833c0bc1d4b535b7d7c
- SHA256
  
  8ae66c5a87a0bfc63cbf2f5b810619ef61051153c5e3b7e2ac0b757245a59611
- SHA512
  
  eb105cdea155e3c4ff473d6f9ed9c5272978342408762f07dfd933e45ef9bbc486e0d37090029aeab10dede2a7e206a53bc2f33b5e1c0cdf4215713d3344f4d8
- SSDEEP
  
  1536:fLuNl6d6QDCpShfA3jBi5mb2xGXgNRWsWmPcdZO1FCLUmJcBkGV8PSxVIrigT39i:fLLdNDCpZ3j3O7QZOsjJcBkGV8PSxVIa
Score

1^/10
behavioral5 behavioral6
- Target
  
  vеrsion.dll
- Size
  
  29KB
- MD5
  
  30ebac24a7d60dfb597576b46c9b82fb
- SHA1
  
  a05a9082dc84c34ef876521b11e28f6684db484a
- SHA256
  
  6426cf806ecfc1432326bd4e0c9d0bba25b8db8ff5a79ef2722e7ddd889a8f30
- SHA512
  
  698dbb2ebda4511d009af4094dba4c30c5f6e4e6ebf202175d764600b5c18d972c52b7d4abbceef4f933104d4e1417e3cddbe21438c40959ace1921297d3f1ba
- SSDEEP
  
  768:ArMz75YmckVPxIiTuqMwYMD2ulzxAoQzM1PVg2:ArMzKmckVPxIiTuqMwr2ulzxAoQoPVg2
Score

3^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

discoverypersistence

behavioral5

behavioral6

behavioral7

behavioral8