69150d79edd91e8474af86f2a559359ca0de40e8ecf626ab524e59fd728474cc | Triage

Submit
Reports

Overview

overview

6

Static

static

1

onestartpdfdirect.msi

windows10-2004-x64

6

Sharing

General

Target

onestartpdfdirect.msi.zip
Size

1.7MB
Sample

250401-s49w4s1xbw
MD5

a981b9b2c99cf290f6a9a0a8f036699e
SHA1

adeee8fcfe19a077467bd4a0f5a82c08672f9921
SHA256

69150d79edd91e8474af86f2a559359ca0de40e8ecf626ab524e59fd728474cc
SHA512

356a051028b9e057dbaac83981e0077b862d98e3c18592ed9eab7c4ea02c685748b5e78161a93c2500676c862aa485132a96218ab072001ff37ef0213387bdf7
SSDEEP

49152:25qfIa/CZJSnjQptaKcam7KbcccLvyXlG:6qQa/CZJkjQHDcammYc4KQ

Score

6^/10

discovery persistence privilege_escalation spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

onestartpdfdirect.msi

Resource

win10v2004-20250313-en

discovery persistence privilege_escalation spyware stealer

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Targets

- Target
  
  onestartpdfdirect.msi.bin
- Size
  
  3.8MB
- MD5
  
  904366068865fa2d5ce89b23afc4f065
- SHA1
  
  8542dfd1a378928a507e56c7ba07adf8c45f1373
- SHA256
  
  f7d5e33b15325633b1bd6f1628b0c28f8a94517ad8f77614390f7538fae9eee6
- SHA512
  
  7823507afdc8783945eef59c5bd6fb78283e94b041fba7d468a7d4314800558b32712454ad1f227c85e5142d214723152f9795c714fae3670d13c41ecd0b9ae2
- SSDEEP
  
  49152:dgTfz0A+biU50unDNyGAvmq6KGk/cHrOGGY8Wea/xwuy2QxNwCsec+4VGWSlnfYC:QKUvN6TkkHQ2tVvO3PfY4
Score

6^/10

discovery persistence privilege_escalation spyware stealer
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Defense Evasion

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalationspywarestealer

© 2018-2025

Terms | Privacy