Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
03-09-2023 17:52
General
-
Target
OneDrive.exe
-
Size
4.6MB
-
MD5
432d68cb451bb59c7deb1a632abd697e
-
SHA1
2b32d06fbd91b0f12043aa4ba2f3ebfa4dcfe12e
-
SHA256
91650b8ba04935b967fcd70c59de46ac7e3184d2c2ad9c68ada7134918348bb3
-
SHA512
256ca2742c3b085c40f9b716ff1a75b02bf5723a0e12b02e32742158560ddd7f0451b5d6167f22708cf8c3ccf17810281875152169133147920cad71f373b1b3
-
SSDEEP
49152:TBpcpjCuXgrVKjom2IdED5Fg0A3a0P4PKa4M3MQhkAwPSIzzWkooMlFaLwVsTq7G:YptwGomzbP4wMlVCVH3jM5su0
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 680 -s 29322⤵
- Program crash
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 316 -s 36083⤵
- Program crash
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 616 -s 7962⤵
- Program crash
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
- Suspicious behavior: LoadsDriver
-
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
- Suspicious behavior: LoadsDriver
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\fbermxmkwuwg.xml"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe3⤵
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\fbermxmkwuwg.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 616 -ip 6161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 500 -p 680 -ip 6801⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 316 -ip 3161⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 2208 -ip 22081⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2208 -s 3561⤵
- Program crash
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD5432d68cb451bb59c7deb1a632abd697e
SHA12b32d06fbd91b0f12043aa4ba2f3ebfa4dcfe12e
SHA25691650b8ba04935b967fcd70c59de46ac7e3184d2c2ad9c68ada7134918348bb3
SHA512256ca2742c3b085c40f9b716ff1a75b02bf5723a0e12b02e32742158560ddd7f0451b5d6167f22708cf8c3ccf17810281875152169133147920cad71f373b1b3
-
Filesize
4.6MB
MD5432d68cb451bb59c7deb1a632abd697e
SHA12b32d06fbd91b0f12043aa4ba2f3ebfa4dcfe12e
SHA25691650b8ba04935b967fcd70c59de46ac7e3184d2c2ad9c68ada7134918348bb3
SHA512256ca2742c3b085c40f9b716ff1a75b02bf5723a0e12b02e32742158560ddd7f0451b5d6167f22708cf8c3ccf17810281875152169133147920cad71f373b1b3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
147KB
MD52698d0fe22cd0335827ddec2e9fd2d0b
SHA1539108fd8e3cfd467d6cc64570fee130c0eaac7b
SHA256402c4a0e66acfaa12853c7b8708067b10295516c81e6332842c2d444be1a6059
SHA512bc3bca8b4b49d8d59542e506322c7b745715c1741e2336515c06a0a1344e44eefa35414131911814d566309cd269f3b5138f242c580a493f86311ea2ff53769e
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
172KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB