6f095907a58ecff4d78e0aa3ce1f8a8202354fda9feb8f91cfef40c92c1672e5

Analysis

max time kernel
1177s
max time network
1179s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-09-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneDrive.exe
Size

2.5MB
MD5

45c75d62b9436ebad171f7c1526def66
SHA1

6cf58108ca08e8ac451e6225a9eb3be2c6d6e9f1
SHA256

cadfb7febc9adc18f902e7ba6ea80ed47031882d0beec31e5c4875c0745c0611
SHA512

dbf12ae6f97adfdc4719f8cdeacff4a71d6263d197491bcd16f0b1d75a67d9681fec865962a159061fb7ccc1b7c1574686f35986f083178092850e9aadaa47c1
SSDEEP

49152:8LJcjw/QU/+lTo2DaC+BEXXyTtsBP/OlsLzFmNfW6FJKxxfZA4Xy:84o8ayXzBP/OlsLzFmNfW6FJKxxfZA4i

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VERSION.dll	OneDrive.exe
File created	C:\Program Files\onedrive.exe	OneDrive.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2780	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3808	3828	OneDrive.exe	81
PID 3828 wrote to memory of 3808	3828	OneDrive.exe	81
PID 3828 wrote to memory of 4436	3828	OneDrive.exe	82
PID 3828 wrote to memory of 4436	3828	OneDrive.exe	82
PID 3808 wrote to memory of 2780	3808	cmd.exe	86
PID 3808 wrote to memory of 2780	3808	cmd.exe	86
PID 4436 wrote to memory of 2260	4436	cmd.exe	85
PID 4436 wrote to memory of 2260	4436	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn NvProfileUpdaterOn_100227281862213723307115523515335857327 /tr C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn NvProfileUpdaterOn_100227281862213723307115523515335857327 /tr C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn NvProfileUpdaterOn_125776113636160876988555805616212973451 /tr C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn NvProfileUpdaterOn_125776113636160876988555805616212973451 /tr C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3828-1-0x000001C003750000-0x000001C0037A8000-memory.dmp

Filesize
352KB

Download
memory/3828-0-0x000001C003700000-0x000001C00374B000-memory.dmp

Filesize
300KB

Download
memory/3828-2-0x000001C003750000-0x000001C0037A8000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads