General
-
Target
onestart_installer.exe.zip
-
Size
98.4MB
-
Sample
250102-qchx7ssqcx
-
MD5
a5a2751e8cc20058a102b1743fb289b6
-
SHA1
e93c9bfb07c0b5ea0e58b31851d7d8c4c39b6708
-
SHA256
56b7183db8ba4cb6580415f8905ae2d29cf2d6fbe0e6bc1fc9521c43d4cf1eed
-
SHA512
13c4c27709686aa69fe14553514c77f967ba548672c52476f567f32014ee3dfe230f05330f5c3e8a0b73816a9d54360779ca6e9e81444f67f48ff3a055bcfcac
-
SSDEEP
1572864:mxgklH4P6S+kAxR5oR+Uln2yvUVZSVYXNICGuGacF5lVyb/b4DZk:mxdknAxRC+UlnpvWSVYZvG3FE7kDK
Malware Config
Targets
-
-
Target
onestart_installer.exe
-
Size
99.0MB
-
MD5
1d599092628613f06912ec455ca61f96
-
SHA1
9dfcd7bc88f597f199e336f262e52195ee2514e4
-
SHA256
fdb0caaae3aef5b7db2f8ae96424ad0c2a3faa5fe7dc4db35a5a85bb6935eb5d
-
SHA512
deaeca59ee40e280d49290283b6e8220b47554f9d9c904e7e238dc7bc4ebe8fb13833a11291e9ac10c32b8e471f1c370a993ff8e926d17b9fb05bf8443fe277b
-
SSDEEP
3145728:qBN+aIcDxwL22tMy//zUJk3arfSuR34g/blWi1A:ghxoPz36fSng/blWAA
Score7/10-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1