Overview
overview
10Static
static
10windows.zip
windows11-21h2-x64
8windows/cf...ch.vbs
windows11-21h2-x64
3windows/idc/ida.js
windows11-21h2-x64
3windows/li...le.dll
windows11-21h2-x64
8windows/libclang.dll
windows11-21h2-x64
8windows/libdwarf.dll
windows11-21h2-x64
8windows/li...le.dll
windows11-21h2-x64
8windows/libz3.dll
windows11-21h2-x64
8windows/lo...if.dll
windows11-21h2-x64
3windows/lo...ga.dll
windows11-21h2-x64
3windows/lo...of.dll
windows11-21h2-x64
3windows/lo...ut.dll
windows11-21h2-x64
8windows/lo...tar.py
windows11-21h2-x64
3windows/lo...ip.dll
windows11-21h2-x64
8windows/lo...ldr.py
windows11-21h2-x64
8windows/lo...age.py
windows11-21h2-x64
8windows/lo...rc.dll
windows11-21h2-x64
8windows/lo...ff.dll
windows11-21h2-x64
8windows/lo...x_m.py
windows11-21h2-x64
3windows/lo...ex.dll
windows11-21h2-x64
8windows/lo...os.dll
windows11-21h2-x64
3windows/lo...lod.py
windows11-21h2-x64
3windows/lo...mp.dll
windows11-21h2-x64
8windows/lo...lf.dll
windows11-21h2-x64
8windows/lo...oc.dll
windows11-21h2-x64
windows/lo...esp.py
windows11-21h2-x64
3windows/lo...ad.dll
windows11-21h2-x64
8windows/lo...os.dll
windows11-21h2-x64
8windows/lo...ex.dll
windows11-21h2-x64
8windows/lo...om.dll
windows11-21h2-x64
windows/lo...mf.dll
windows11-21h2-x64
3windows/lo...dr.dll
windows11-21h2-x64
8Analysis
-
max time kernel
415s -
max time network
443s -
platform
windows11-21h2_x64 -
resource
win11-20250207-en -
resource tags
arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-02-2025 15:25
Behavioral task
behavioral1
Sample
windows.zip
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
windows/cfg/gdb_arch.vbs
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
windows/idc/ida.js
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
windows/libSwiftDemangle.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
windows/libclang.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
windows/libdwarf.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
windows/librustdemangle.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
windows/libz3.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
windows/loaders/aif.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
windows/loaders/amiga.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
windows/loaders/aof.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
windows/loaders/aout.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
windows/loaders/archldr_tar.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
windows/loaders/archldr_zip.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
windows/loaders/bfltldr.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
windows/loaders/bios_image.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
windows/loaders/bochsrc.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
windows/loaders/coff.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
windows/loaders/cortex_m.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
windows/loaders/dex.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
windows/loaders/dos.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
windows/loaders/dsp_lod.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
windows/loaders/dump.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
windows/loaders/elf.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
windows/loaders/epoc.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
windows/loaders/esp.py
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
windows/loaders/expload.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
windows/loaders/geos.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
windows/loaders/hex.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
windows/loaders/hpsom.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
windows/loaders/intelomf.dll
Resource
win11-20250207-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
windows/loaders/javaldr.dll
Resource
win11-20250207-en
windows11-21h2-x64
General
-
Target
windows.zip
-
Size
406.3MB
-
MD5
04658cf203835d56e03e19b21a669ad6
-
SHA1
53de0846c62b10f781936e909fa29796daaee7b4
-
SHA256
30178e750e73839e5c1d60aeecab63d1c1d9059da0be19c7745f28ba06f35869
-
SHA512
3ff24f0f1ccb18a4c8ccd23471879a9ba9be23c4ea0832c7c9b42cc5aaaa8e667be9aa6252f01de35674c345f7766bcda5a1352f9aa8d3b7e621dbfbaa8d4b42
-
SSDEEP
12582912:anPlyqUMyEufTqGCZU/TgwrF24zmm0+E9SrKzPB4hL:4P8qUMyZfTqRfF4h0+koKzg
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
flow pid Process 8 928 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDrive.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1988 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\BannerNotificationHandler.BannerNotificationHandler OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ = "IFileSyncClient7" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ = "IGetItemPropertiesCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\FileSyncClient.AutoPlayHandler\CurVer\ = "FileSyncClient.AutoPlayHandler.1" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ = "IGetSyncStatusCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ = "SyncEngineFileInfoProvider Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\FileSyncClient.AutoPlayHandler\CLSID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ = "ISetSelectiveSyncInformationCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0\win32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1051229892-2838831788-3126553707-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409} OneDrive.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4056 OneDrive.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4056 OneDrive.exe 4056 OneDrive.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4056 OneDrive.exe 4056 OneDrive.exe 4056 OneDrive.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4056 OneDrive.exe 4056 OneDrive.exe 4056 OneDrive.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4056 OneDrive.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\windows.zip1⤵PID:3544
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU5OEE4NzUtRDk4OC00MjhDLUFEMTctNzY3NjRCMjBFNDVFfSIgdXNlcmlkPSJ7NDI0NUMxRkYtMEU1NS00MTVBLUJDMUUtRUIyNzBERjYzQkYwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MEYwQUY4NzAtRDFFMy00RkFBLTgzODAtNDk1MDA0MDhFRDlEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDk2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjY5NTc5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4MzUxMzkxNTciLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1532
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:4064
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:2900
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1cb2b5ef-1518-4bdd-953e-425b91016f62.down_data
Filesize521KB
MD5c9d293a6b8bbf69557514f3939a456cf
SHA10aec45075565c8539c734e768cef9469047ac2e0
SHA2568e80ec1e37c6079c5340a834501a919fdc5475d06c348e58077493dbc3f9512a
SHA5126fd79a2f2dd73331334cc9fb98307bdedb765dfd2bd31adf76adfc52e20386d8a4d9823f10d777381caea220127d390e7b56e908b1d197a3a4dd3ff0a288be22