Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 18:55

Errors

Reason
Machine shutdown

General

  • Target

    FukOneDrive.exe

  • Size

    466KB

  • MD5

    038f9cc38d70854f617fc309ce658389

  • SHA1

    c180b95e6e28f697f56897c841eb8068c04cbeba

  • SHA256

    fb711c8e0525c98ea98df7a4d0386d4629de88fa233ae55eab91c612f869fa09

  • SHA512

    35200a8acb4d0154b0e188d604c2aaf6463cf243192cd65805ab659a954eff6d57257aae48f933557fd334d0c7754e0cdd27f6d484e76c161e979fce9a66bca2

  • SSDEEP

    6144:I5aMJNLwL73PZPkFr1jilzqqVWk6855JKSFtIooEbQOW7WiDf7U:IOxPkPjQeqQ1Y53KRdr7U

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FukOneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\FukOneDrive.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Fuk OneDrive Files\OneDrive.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\system32\fltMC.exe
        fltmc
        3⤵
          PID:1640
        • C:\Windows\system32\tasklist.exe
          tasklist /fi "ImageName eq OneDrive.exe" /fo csv
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
        • C:\Windows\system32\find.exe
          find /i "OneDrive.exe"
          3⤵
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -ExecutionPolicy Unrestricted -Command "$keyName = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'; $valueName = 'OneDrive'; $hive = $keyName.Split('\')[0]; $path = """$($hive):$($keyName.Substring($hive.Length))"""; Write-Host """Removing the registry value '$valueName' from '$path'."""; if (-Not (Test-Path -LiteralPath $path)) { Write-Host 'Skipping, no action needed, registry key does not exist.'; Exit 0; }; $existingValueNames = (Get-ItemProperty -LiteralPath $path).PSObject.Properties.Name; if (-Not ($existingValueNames -Contains $valueName)) { Write-Host 'Skipping, no action needed, registry value does not exist.'; Exit 0; }; try { if ($valueName -ieq '(default)') { Write-Host 'Removing the default value.'; $(Get-Item -LiteralPath $path).OpenSubKey('', $true).DeleteValue(''); } else { Remove-ItemProperty -LiteralPath $path -Name $valueName -Force -ErrorAction Stop; }; Write-Host 'Successfully removed the registry value.'; } catch { Write-Error """Failed to remove the registry value: $($_.Exception.Message)"""; }"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2016
          • C:\Windows\SysWOW64\OneDriveSetup.exe
            "C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3340
            • C:\Windows\SysWOW64\OneDriveSetup.exe
              "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-2412658365-3084825385-3340777666-1000
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4920
            • C:\Windows\SysWOW64\OneDriveSetup.exe
              C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
              4⤵
              • Modifies system executable filetype association
              • Drops desktop.ini file(s)
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
                "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
                5⤵
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:2484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\OneDrive*'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; $deletedCount = 0; $failedCount = 0; $oneDriveUserFolderPattern = [System.Environment]::ExpandEnvironmentVariables('C:\Users\Admin\OneDrive') + '*'; while ($true) { <# Loop to control the execution of the subsequent code #>; try { $userShellFoldersRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'; if (-not (Test-Path $userShellFoldersRegistryPath)) { Write-Output """Skipping verification: The registry path for user shell folders is missing: `"""$userShellFoldersRegistryPath`""""""; break; }; $userShellFoldersRegistryKeys = Get-ItemProperty -Path $userShellFoldersRegistryPath; $userShellFoldersEntries = @($userShellFoldersRegistryKeys.PSObject.Properties); if ($userShellFoldersEntries.Count -eq 0) { Write-Warning """Skipping verification: No entries found for user shell folders in the registry: `"""$userShellFoldersRegistryPath`""""""; break; }; Write-Output """Initiating verification: Checking if any of the ${userShellFoldersEntries.Count} user shell folders point to the OneDrive user folder pattern ($oneDriveUserFolderPattern)."""; $userShellFoldersInOneDrive = @(); foreach ($registryEntry in $userShellFoldersEntries) { $userShellFolderName = $registryEntry.Name; $userShellFolderPath = $registryEntry.Value; if (!$userShellFolderPath) { Write-Output """Skipping: The user shell folder `"""$userShellFolderName`""" does not have a defined path."""; continue; }; $expandedUserShellFolderPath = [System.Environment]::ExpandEnvironmentVariables($userShellFolderPath); if(-not ($expandedUserShellFolderPath -like $oneDriveUserFolderPattern)) { continue; }; $userShellFoldersInOneDrive += [PSCustomObject]@{ Name = $userShellFolderName; Path = $expandedUserShellFolderPath }; }; if ($userShellFoldersInOneDrive.Count -gt 0) { $warningMessage = 'To keep your computer running smoothly, OneDrive user folder will not be deleted.'; $warningMessage += """`nIt's being used by the OS as a user shell directory for the following folders:"""; $userShellFoldersInOneDrive.ForEach( { $warningMessage += """`n- $($_.Name): $($_.Path)"""; }); Write-Warning $warningMessage; exit 0; }; Write-Output """Successfully verified that none of the $($userShellFoldersEntries.Count) user shell folders point to the OneDrive user folder pattern."""; break; } catch { Write-Warning """An error occurred during verification of user shell folders. Skipping prevent potential issues. Error: $($_.Exception.Message)"""; exit 0; }; }; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try { $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) { try { if (Test-Path -Path $path -PathType Leaf) { Write-Warning """Retaining file `"""$path`""" to safeguard your data."""; continue; } elseif (Test-Path -Path $path -PathType Container) { if ((Get-ChildItem """$path""" -Recurse | Measure-Object).Count -gt 0) { Write-Warning """Preserving non-empty folder `"""$path`""" to protect your files."""; continue; }; }; } catch { Write-Warning """An error occurred while processing `"""$path`""". Skipping to protect your data. Error: $($_.Exception.Message)"""; continue; }; if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch { $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) { Write-Warning """Failed to delete $($failedCount) items."""; }"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = """$($directoryGlob = 'C:\Users\Admin\AppData\Local\Microsoft\OneDrive'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )"""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host """Searching for items matching pattern: `"""$($expandedPath)`"""."""; <# Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges #>; $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath); $fileName = [System.IO.Path]::GetFileName($expandedPath); if ($parentDirectory -like '*[*?]*') { throw """Unable to grant permissions to glob path parent directory: `"""$parentDirectory`""", wildcards in parent directory are not supported by ``takeown`` and ``icacls``."""; }; if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) { throw """Unable to grant permissions to glob path file name: `"""$fileName`""", wildcards in file name is not supported by ``takeown`` and ``icacls``."""; }; Write-Host """Taking ownership of `"""$expandedPath`"""."""; $cmdPath = $expandedPath; if ($cmdPath.EndsWith('\')) { $cmdPath += '\' <# Escape trailing backslash for correct handling in batch commands #>; }; $takeOwnershipCommand = """takeown /f `"""$cmdPath`""" /a""" <# `icacls /setowner` does not succeed, so use `takeown` instead. #>; if (-not (Test-Path -Path """$expandedPath""" -PathType Leaf)) { $localizedYes = 'Y' <# Default 'Yes' flag (fallback) #>; try { $choiceOutput = cmd /c """choice <nul 2>nul"""; if ($choiceOutput -and $choiceOutput.Length -ge 2) { $localizedYes = $choiceOutput[1]; } else { Write-Warning """Failed to determine localized 'Yes' character. Output: `"""$choiceOutput`""""""; }; } catch { Write-Warning """Failed to determine localized 'Yes' character. Error: $_"""; }; $takeOwnershipCommand += """ /r /d $localizedYes"""; }; $takeOwnershipOutput = cmd /c """$takeOwnershipCommand 2>&1""" <# `stderr` message is misleading, e.g. """ERROR: The system cannot find the file specified.""" is not an error. #>; if ($LASTEXITCODE -eq 0) { Write-Host """Successfully took ownership of `"""$expandedPath`""" (using ``$takeOwnershipCommand``)."""; } else { Write-Host """Did not take ownership of `"""$expandedPath`""" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput."""; <# Do not write as error or warning, because this can be due to missing path, it's handled in next command. #>; <# `takeown` exits with status code `1`, making it hard to handle missing path here. #>; }; Write-Host """Granting permissions for `"""$expandedPath`"""."""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminAccountName = $adminAccount.Value; $grantPermissionsCommand = """icacls `"""$cmdPath`""" /grant `"""$($adminAccountName):F`""" /t"""; $icaclsOutput = cmd /c """$grantPermissionsCommand"""; if ($LASTEXITCODE -eq 3) { Write-Host """Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."""; exit 0; } elseif ($LASTEXITCODE -ne 0) { Write-Host """Take ownership message:`n$takeOwnershipOutput"""; Write-Host """Grant permissions:`n$icaclsOutput"""; Write-Warning """Failed to assign permissions for `"""$expandedPath`""" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE."""; } else { $fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ }; if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) { Write-Host """Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."""; exit 0; } else { Write-Host """Successfully granted permissions for `"""$expandedPath`""" (using ``$grantPermissionsCommand``)."""; }; }; $deletedCount = 0; $failedCount = 0; $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try { $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host """Initiating processing of $($foundAbsolutePaths.Count) items from `"""$expandedPath`"""."""; foreach ($path in $foundAbsolutePaths) { if (-not (Test-Path $path)) { <# Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). #>; Write-Host """Successfully deleted: $($path) (already deleted)."""; $deletedCount++; continue; }; try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop; $deletedCount++; Write-Host """Successfully deleted: $($path)"""; } catch { $failedCount++; Write-Warning """Unable to delete $($path): $_"""; }; }; Write-Host """Successfully deleted $($deletedCount) items."""; if ($failedCount -gt 0) { Write-Warning """Failed to delete $($failedCount) items."""; }"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:776
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "choice <nul 2>nul"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4140
              • C:\Windows\system32\choice.exe
                choice
                5⤵
                  PID:3420
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
          1⤵
          • System Location Discovery: System Language Discovery
          PID:2404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Fuk OneDrive Files\OneDrive.bat

          Filesize

          29KB

          MD5

          ee9e90614c8503913f36e9c8403df858

          SHA1

          426f0a41f3e7aea087a25e2ea98134c2ca40c719

          SHA256

          aab2dc2fb0b4452d4fc436bfa8c515704db6e29556dde55f4d9b390041740bb9

          SHA512

          9bf39ecd21132e48b6a977331aabc83337d439a1e33ce1ee30cd785c1b84b14994d0543d02dc180bdf042b513284ba8e4f1870f5b2ff88c1ed6247a60cdb1653

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          ec23388c471d9638ecfbeb3cb0177a0e

          SHA1

          ec74ce34bb1794f37685d326cb547e56b6ef97bf

          SHA256

          f5404950a156dd195de9ba35c17d4507ed9197caacfbc5d8fe7d822c4a9e40e2

          SHA512

          4544d3e723791f61379617c5045f7c7bb93cb30775c38c373dedd7fac32ebc4c15fc4280713550464932519bac55ec274cf37561eceba634de389de5423ad23a

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          ca56a5e3f0e26a55b3f0dd858e828f69

          SHA1

          eaf37d60e5e54c0ac260904ebfc7448db267b78c

          SHA256

          cac0e30f0f4cd30bc72853d0294b6b25d06a5e856c8f5d67945f429807a9e90f

          SHA512

          7620f2987b6e821f7170cdc0d5fbda1cc10a18dc27285b0274cf5cc2c1dd41e513afc3680c3906e074306fd5ef92cd4258165dd6e5a06e252f307061dcf97203

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          ac3bf9756600f6c31a15240716e6e7c6

          SHA1

          521aa76b55f74cafd1b579933dc0fae439acb0f5

          SHA256

          f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

          SHA512

          96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4te0lrg.qkz.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-3088.log

          Filesize

          470B

          MD5

          4e5010b3c4c05ef0eb67be7d0b61c6bf

          SHA1

          37b11134b18c929b9d1dd1b75a1c13a695330c57

          SHA256

          eb43853a0b57141d9db4ff6c0b72e58ed7c1e3813686497fa1aa0c41c90eb7e2

          SHA512

          3aad1834b25d90d41daf7b2dd554b75d51c3a34357b22f6f0b67319d529fed1d2d56fdb59f6c922f761821d1e77af7505b39059cdc96e8582e4baf600f87554e

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-4920.log

          Filesize

          470B

          MD5

          e2534eac79e18a256dcd866209a9215e

          SHA1

          d582931fa3d2ad0f9c6eb1b39894f1aa28b5a7d8

          SHA256

          ffe391509701107bfbf9d0185b7644d93080889f88716c676c59490446e906f8

          SHA512

          5fab73a7c3ae5894a5dca9c72d59fa250677879b3f90d7babe9cc69dc5bf1b5793551012c80cc35e907f6748b3c4b1602e01d96cd030c29522021b00b4f27159

        • C:\Users\Admin\AppData\Local\Temp\tmpA1DD.tmp

          Filesize

          25.9MB

          MD5

          bd2866356868563bd9d92d902cf9cc5a

          SHA1

          c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

          SHA256

          6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

          SHA512

          5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

        • memory/2016-14-0x000001BBC1060000-0x000001BBC1082000-memory.dmp

          Filesize

          136KB