Analysis
-
max time kernel
49s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/06/2023, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
onedrive-photos.lnk
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
onedrive-photos.lnk
Resource
win10v2004-20230220-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
onedriveupdater.exe
Resource
win7-20230220-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
onedriveupdater.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral5
Sample
version.dll
Resource
win7-20230220-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
version.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral7
Sample
vеrsion.dll
Resource
win7-20230220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
vеrsion.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
onedrive-photos.lnk
-
Size
2KB
-
MD5
63b00ce296162a6627510741598d0255
-
SHA1
f795d55bcb1dae240e6d26644f80d1691618bf1a
-
SHA256
3115d69184d66d8e588a60b94a250dd51209e894660641ca316560ae918779eb
-
SHA512
75ffecb5c80db028cbcb78f7fc3c6a015930cc1e162cbf55040f208758e875cc212b9411c6e9d6a5928fb79e4dbf4a13057b066f08c6c89bac0a1201334c1a2b
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1492 chrome.exe 1492 chrome.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe Token: SeShutdownPrivilege 1492 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe 1492 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1756 1088 cmd.exe 28 PID 1088 wrote to memory of 1756 1088 cmd.exe 28 PID 1088 wrote to memory of 1756 1088 cmd.exe 28 PID 1756 wrote to memory of 1752 1756 cmd.exe 29 PID 1756 wrote to memory of 1752 1756 cmd.exe 29 PID 1756 wrote to memory of 1752 1756 cmd.exe 29 PID 1492 wrote to memory of 1032 1492 chrome.exe 31 PID 1492 wrote to memory of 1032 1492 chrome.exe 31 PID 1492 wrote to memory of 1032 1492 chrome.exe 31 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 768 1492 chrome.exe 33 PID 1492 wrote to memory of 1132 1492 chrome.exe 35 PID 1492 wrote to memory of 1132 1492 chrome.exe 35 PID 1492 wrote to memory of 1132 1492 chrome.exe 35 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34 PID 1492 wrote to memory of 1104 1492 chrome.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\onedrive-photos.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start onedriveupdater.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\onedriveupdater.exeonedriveupdater.exe3⤵PID:1752
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6859758,0x7fef6859768,0x7fef68597782⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:22⤵PID:768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:82⤵PID:1104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:82⤵PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:12⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:12⤵PID:664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1428 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:22⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2312 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:12⤵PID:2156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3880 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:82⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3992 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:82⤵PID:2248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 --field-trial-handle=1248,i,13576930547175000170,8399081419899695258,131072 /prefetch:82⤵PID:2572
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6dbf5a.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4KB
MD5798db58ef8690e12ca7feee9554627da
SHA13048a967490a3ba89c63b5dfa6588e6f1efa9d29
SHA2561adfddb7ae4d4268cce9c7a29fc1f366b3d26ededb570419e180124571fc27cc
SHA512a4790c5cda99c6c8cc47726ec673f79703160813d4aa5292df468fe83749b8b809de8343c863cda9b3f8ed9401231b6b82ede6fdf8cfca4a4b9107a0733688cf
-
Filesize
4KB
MD560104ebf250f5fca66cead4f4226fdd5
SHA1586eb9bb121f583083af67a4cbb16015764a12ff
SHA256ccfcfac12f1d5a5c20cb877e4b9a75e7c6d792114b3d9ca0471d13b95be68ca1
SHA512f358daf9e2265c30c4dd0102aac2b492f6685bcac927beb293e02ce3005343b8349606b61b71a9ce2cd71582a9528ce9768d29e3fcb5b8299d5c2119d9bad717
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27