Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OneDriveUpdater.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.255702585045085
Filename:	OneDriveUpdater.exe
Filesize:	4200864
MD5:	792e95b64b9cf45ac8bc10d4d0f077c2
SHA1:	e50af7ee7e0a323d8aa60b6d9b3d39ab33b004f5
SHA256:	60e64dd2c6d2ac6fe9b498fadac81bc34a725de5d893e7df8b2728d8dc5b192d
SHA512:	5064c1a64fa0bd5a31b205d8b34cb85cc3da7091dd2412421f6394d42b9a596430b67ea4d05129912ad942458198280a3a69409388d2413072c53d928de70e86
SSDEEP:	49152:3EenBpKLBz+dV0LWUEur5XVmy1rVaou58gZbkT3FjNVcXrkj6B+/T+k54Q1Wb:6VlH0MAQj8k5d18
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......6x.Sr.b.r.b.r.b..kg...b..pf.{.b..pg.I.b..lk.~.b. lf.a.b. la.z.b. lg...b..ka.\|.b..kf.m.b..kd.p.b..kc._.b.r.c...b..lg...b..lb.s.b

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a connection to the internet is available	Networking	System Network Connections Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to delete services	System Summary	Service Execution Access Token Manipulation System Time Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to create services	System Summary	Windows Service Access Token Manipulation
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to modify services (start/stop/modify)	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary	Access Token Manipulation
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Writes ini files	System Summary
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
Checks if Microsoft Office is installed	System Summary	Access Token Manipulation
PE / OLE file has a valid certificate	Compliance, System Summary
PE file exports many functions	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json

JSON data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json
Category:	dropped
Dump:	PreSignInSettingsConfig.json.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	JSON data
Entropy:	5.39444677062414
Encrypted:	false
Ssdeep:	384:poaSLGTSy3S0XuMU9mCzHS7vpvpJGV6Hu/i49Pji7iJI5TZCP56vS1xDR+dBUFvT:WryF7U9mCzHS7vu/xV2iP56vcDR+P0T
Size:	64854
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xml

XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\Update.xml
Category:	dropped
Dump:	Update.xml.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	5.650905767540785
Encrypted:	false
Ssdeep:	24:JdbC/3ZGhufHCSnnSO8fSSnedSSEfmC6MSnASo:3sMOBR2xeamFPS
Size:	899
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\OneDrive\Update\Update.xml

XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\Update\Update.xml
Category:	dropped
Dump:	Update.xml0.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	5.650376775847054
Encrypted:	false
Ssdeep:	48:3jOBR2xeamFP7OzoPZY2cboc0GicDSM6ydS1uyc2g55g5T:zC7TqvCcGM0uRl5E
Size:	2619
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.ini

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.ini
Category:	dropped
Dump:	DeviceHealthSummaryConfiguration.ini.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.779728184019344
Encrypted:	false
Ssdeep:	3:RsRo7JKIAY9PGvpZjTOjKfrQQUqNs:qVI99uvp5aYFUqNs
Size:	77
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2024-07-04.2340.7252.1.aodl

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\StandaloneUpdater-2024-07-04.2340.7252.1.aodl
Category:	dropped
Dump:	StandaloneUpdater-2024-07-04.2340.7252.1.aodl.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	data
Entropy:	5.056512452939649
Encrypted:	false
Ssdeep:	768:FwpdE6kFc1bkFc1Q6bxFqNcL3KBEX1nFNm:FQEd1kbx
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-07-04_234035_7252-7256.log

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2024-07-04_234035_7252-7256.log
Category:	dropped
Dump:	StandaloneUpdate_2024-07-04_234035_7252-7256.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\OneDriveUpdater.exe
Type:	data
Entropy:	0.910466497696784
Encrypted:	false
Ssdeep:	192:XA7Au+F8FgFJoFwfFIF3F/FmF7FeF+F8FcFJUFhEFeF:w7AuqEQJowtIVNCBKqEkJMh8K
Size:	65536
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OneDriveUpdater.exe

"C:\Users\user\Desktop\OneDriveUpdater.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7252
Target ID:	0
Parent PID:	2580
Name:	OneDriveUpdater.exe
Path:	C:\Users\user\Desktop\OneDriveUpdater.exe
Commandline:	"C:\Users\user\Desktop\OneDriveUpdater.exe"
Size:	4200864
MD5:	792E95B64B9CF45AC8BC10D4D0F077C2
Time:	19:40:35
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7c4000000
Modulesize:	4231168
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file exports many functions	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://g.live.com/1rewlive5skydrive/OneDriveEnterpriseV2

unknown

https://g.live.com/odclientsettings/Prod

unknown

https://g.live.com/1rewlive5skydrive/OneDriveProductionV2

unknown

https://g.live.com/odclientsettings/EnterpriseG?Bi

unknown

https://g.live.com/odclientsettings/Prods

unknown

https://g.live.com/1rewlive5skydrive/ODSUInsiderV2

unknown

https://g.live.com/1rewlive5skydrive/ODSUMsitSlowV2

unknown

https://g.live.com/odclientsettings/Enterprise

unknown

https://g.live.com/odclientsettings/MsitFastl

unknown

https://g.live.com/odclientsettings/Enterprisehttps://g.live.com/odclientsettings/MsitFasthttps://g.

unknown

https://g.live.com/odclientsettings/MsitSlow#?

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://clients.config.office.net/collector/v1.0/inventoryodbc:December

unknown

https://g.live.com/odclientsettings/Prodonfig

unknown

https://g.live.com/1rewlive5skydrive/ODSUMsitFastV2

unknown

https://g.live.com/1rewlive5skydrive/win81

unknown

https://dc.services.visualstudio.com/v2/track

unknown

https://g.live.com/1rewlive5skydrive/win81https://g.live.com/1rewlive5skydrive/win8https://g.live.co

unknown

https://g.live.com/1rewlive5skydrive/Onee

unknown

https://g.live.com/odclientsettings/MsitFast:?

unknown

https://g.live.com/1rewlive5skydrive/One

unknown

https://g.live.com/1rewlive5skydrive/MsitFastV2

unknown

https://g.live.com/odclientsettings/Insiders

unknown

https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2https://g.live.com/1rewlive5skydrive/ODSUMsitFa

unknown

https://g.live.com/odclientsettings/MsitSlow

unknown

https://g.live.com/1rewlive5skydrive/OneDriveInsiderV2

unknown

https://oneclient.sfx.

unknown

https://g.live.com/1rewlive5skydrive/OSRSS_32bit

unknown

https://g.live.com

unknown

https://g.live.com/odclientsettings/Enterprise%l

unknown

https://g.live.com/odclientsettings/Insidersl

unknown

https://g.live.com/1rewlive5skydrive/OSRSS_64bit

unknown

https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:December

unknown

https://g.live.com/1rewlive5skydrive/ODSUProductionV2

unknown

https://g.live.com/odclientsettings/MsitFast

unknown

https://g.live.com/odclientsettings/MsitSlowl

unknown

https://g.live.com/1rewlive5skydrive/win7

unknown

https://g.live.com/1rewlive5skydrive/ODSUEnterpriseV2

unknown

https://g.live.com/1rewlive5skydrive/MsitSlowV2

unknown

https://g.live.com/1rewlive5skydrive/win8

unknown

https://g.live.com/1rewlive5skydrive/OneDriveProductionV2ember:Dec:Decemberd$hh0

unknown

https://g.live.com/1rewlive5skydrive/OSRSS_32bithttps://g.live.com/1rewlive5skydrive/OSRSS_64bit%loc

unknown

There are 32 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

StandaloneUpdaterSafeMode

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON

GUID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\PreSignInSettingsConfigJSON

File

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml

GUID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\UpdateDescriptionXml

File

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

OdsuCheckForUpdateStartTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

OdsuCheckForUpdateEndTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\UpdateXml

GUID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\UpdateXml

File

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

UpdateBeginTimestampTryCountODSU

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

UpdateBeginTimestampODSU

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\SetupBinary

GUID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Installer\BITS\SetupBinary

File

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

OdsuCheckForUpdateStartTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

OdsuCheckForUpdateEndTime

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1BB954A3000

heap

page read and write

1BB954F2000

heap

page read and write

7FF7C43CB000

unkown

page write copy

1BB93796000

heap

page read and write

1BB936C0000

heap

page read and write

1BB937AD000

heap

page read and write

7FF7C42E9000

unkown

page readonly

1BB95435000

heap

page read and write

7FF7C43E3000

unkown

page readonly

1BB9542E000

heap

page read and write

1BB9540E000

heap

page read and write

1BB953C9000

heap

page read and write

1BB936EE000

heap

page read and write

1BB9540D000

heap

page read and write

1BB954AC000

heap

page read and write

1BB94FC0000

trusted library allocation

page read and write

1BB93794000

heap

page read and write

1BB9376C000

heap

page read and write

7FF7C4001000

unkown

page execute read

1BB9545A000

heap

page read and write

1BB93708000

heap

page read and write

1BB95475000

heap

page read and write

1BB9376E000

heap

page read and write

1BB93783000

heap

page read and write

1BB94FF0000

heap

page read and write

1BB954A3000

heap

page read and write

1BB9553B000

heap

page read and write

1BB953C1000

heap

page read and write

1BB954C0000

heap

page read and write

7FF7C42E9000

unkown

page readonly

1BB93717000

heap

page read and write

1BB9377D000

heap

page read and write

1BB937A0000

heap

page read and write

1BB94FC0000

trusted library allocation

page read and write

1BB93791000

heap

page read and write

1BB93798000

heap

page read and write

46A4EF8000

stack

page read and write

1BB953D2000

heap

page read and write

7FF7C43DD000

unkown

page read and write

1BB9550B000

heap

page read and write

1BB95455000

heap

page read and write

1BB95435000

heap

page read and write

1BB95425000

heap

page read and write

1BB953D0000

heap

page read and write

46A52F9000

stack

page read and write

46A52FC000

stack

page read and write

1BB9559E000

heap

page read and write

1BB954A2000

heap

page read and write

1BB937AA000

heap

page read and write

7FF7C4401000

unkown

page readonly

1BB95425000

heap

page read and write

1BB95819000

heap

page read and write

46A51FA000

stack

page read and write

1BB954AF000

heap

page read and write

1BB953D6000

heap

page read and write

7FF7C43E3000

unkown

page readonly

1BB93784000

heap

page read and write

1BB9378A000

heap

page read and write

1BB95070000

heap

page read and write

1BB954B4000

heap

page read and write

1BB93782000

heap

page read and write

7FF7C43C3000

unkown

page write copy

1BB953F1000

heap

page read and write

1BB95075000

heap

page read and write

1BB953C0000

heap

page read and write

1BB937BE000

heap

page read and write

1BB95499000

heap

page read and write

1BB93774000

heap

page read and write

1BB9548A000

heap

page read and write

1BB95401000

heap

page read and write

7FF7C43CA000

unkown

page read and write

1BB937AD000

heap

page read and write

46A53FF000

stack

page read and write

1BB94FE0000

heap

page read and write

1BB936C8000

heap

page read and write

1BB953D8000

heap

page read and write

1BB9379D000

heap

page read and write

1BB95416000

heap

page read and write

1BB9553D000

heap

page read and write

1BB9554D000

heap

page read and write

1BB9379D000

heap

page read and write

7FF7C4000000

unkown

page readonly

1BB953D0000

heap

page read and write

1BB953DE000

heap

page read and write

1BB93770000

heap

page read and write

1BB9377B000

heap

page read and write

1BB953E5000

heap

page read and write

1BB93778000

heap

page read and write

1BB937AD000

heap

page read and write

1BB95425000

heap

page read and write

1BB94FE2000

heap

page read and write

1BB9553D000

heap

page read and write

1BB93762000

heap

page read and write

1BB9377F000

heap

page read and write

1BB95485000

heap

page read and write

1BB937A0000

heap

page read and write

1BB95436000

heap

page read and write

1BB93794000

heap

page read and write

1BB937AD000

heap

page read and write

1BB954A3000

heap

page read and write

1BB937A5000

heap

page read and write

7FF7C43BF000

unkown

page write copy

1BB93744000

heap

page read and write

1BB93794000

heap

page read and write

1BB935A0000

heap

page read and write

1BB9554D000

heap

page read and write

1BB94F60000

heap

page read and write

1BB954A4000

heap

page read and write

1BB937BE000

heap

page read and write

1BB9552A000

heap

page read and write

1BB95800000

heap

page read and write

1BB954E2000

heap

page read and write

1BB953FA000

heap

page read and write

1BB955A2000

heap

page read and write

1BB95445000

heap

page read and write

1BB93680000

heap

page read and write

1BB93783000

heap

page read and write

46A51F6000

stack

page read and write

1BB95509000

heap

page read and write

46A4EFD000

stack

page read and write

1BB9376E000

heap

page read and write

1BB95465000

heap

page read and write

1BB937A0000

heap

page read and write

7FF7C4401000

unkown

page readonly

1BB93787000

heap

page read and write

1BB95509000

heap

page read and write

46A51FF000

stack

page read and write

1BB95435000

heap

page read and write

1BB93776000

heap

page read and write

1BB937B7000

heap

page read and write

1BB94FEA000

heap

page read and write

1BB95403000

heap

page read and write

1BB94F90000

trusted library allocation

page read and write

7FF7C4000000

unkown

page readonly

1BB954A3000

heap

page read and write

1BB9377D000

heap

page read and write

1BB93787000

heap

page read and write

7FF7C43BF000

unkown

page read and write

1BB95445000

heap

page read and write

1BB95509000

heap

page read and write

1BB954AE000

heap

page read and write

7FF7C4001000

unkown

page execute read

There are 132 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
OneDriveUpdater.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOneDriveUpdater.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
OneDriveUpdater.exe