DigitalSide Threat Intel

OneDriveUpdate.exe

First submission 2022-08-03 10:18:02

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
File type: 384.0 KB (393216 bytes)
Compile time: 2022-07-09 12:19:20
MD5: 797c11df23ab1ee9b72cc85803e0aa90
SHA1: 41ec187cd17ee0f34ec0356b8419575eaa38bbd8
SHA256: 50276571b60c05a68976baa27cf72ee5e5099e4528104281b7fbc8626ece0360
Import Hash : e07d5b7cbc0bb851691e27f13758b2a0
Sections 6 .text .rdata .data .pdata .rsrc .reloc
Directories 3 import resource relocation
Virus Total: 19/70 VT report date: 2022-07-25 19:35:51

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXp://146.70.24.168/load/OneDriveUpdate.exe VirusTotal Report 146.70.24.168 VirusTotal Report 2022-08-03 10:18:02
hXXps://dexpsystem.com/load/OneDriveUpdate.exe VirusTotal Report dexpsystem.com VirusTotal Report 2022-08-03 10:46:07

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x9058 37376 3f5f76dde42f0f465fc99065b1aa9fc7cc1bcdc8 3ca896d2b5bd276d8f4a84d3eb4dffe5
.rdata 0xb000 0x2994 10752 0889f13f8925c2540c69508d62291da2ea32d9dc 02a064bd1142e4433c9e882c303e83ce
.data 0xe000 0x54198 339968 92febcaa82263c7e4ceb163c5d9e63decd784e01 16d3b4d0c4395324b6b77cc7f32a5a50
.pdata 0x63000 0x6c0 2048 496e6020a26311fd2851a778efe6d189802dff4d 6860e195424ceffc13483e170b407784
.rsrc 0x64000 0x1b4 512 50db0f0302b60587135944fcabc415b04dff6909 dd03df27c412a441383fd4fa8b3e3dc1
.reloc 0x65000 0x5f0 1536 4d00f072e3b788fe197e32aa1aea72fb934f150d ec10e2d866af83cebe47b1aede40796b

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x64058 346

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 4

GetLastError
IsDebuggerPresent
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
USER32.dll
mscoree.dll
KERNEL32.dll

Import functions

Function Address Souspicious Anti Debug
lstrlenA 0x14000b000
GetSystemDefaultLCID 0x14000b008
GetTickCount 0x14000b010
Sleep 0x14000b018
GetProcAddress 0x14000b020
VirtualAlloc 0x14000b028
LoadLibraryA 0x14000b030
VirtualProtect 0x14000b038
GetUserDefaultUILanguage 0x14000b040
GetSystemTime 0x14000b048
CreateThread 0x14000b050
GetCommandLineA 0x14000b058
GetStartupInfoW 0x14000b060
TerminateProcess 0x14000b068
GetCurrentProcess 0x14000b070
UnhandledExceptionFilter 0x14000b078
SetUnhandledExceptionFilter 0x14000b080
IsDebuggerPresent 0x14000b088
RtlVirtualUnwind 0x14000b090
RtlLookupFunctionEntry 0x14000b098
RtlCaptureContext 0x14000b0a0
GetModuleHandleW 0x14000b0a8
ExitProcess 0x14000b0b0
DecodePointer 0x14000b0b8
WriteFile 0x14000b0c0
GetStdHandle 0x14000b0c8
GetModuleFileNameW 0x14000b0d0
RtlUnwindEx 0x14000b0d8
GetModuleFileNameA 0x14000b0e0
FreeEnvironmentStringsW 0x14000b0e8
WideCharToMultiByte 0x14000b0f0
GetEnvironmentStringsW 0x14000b0f8
SetHandleCount 0x14000b100
InitializeCriticalSectionAndSpinCount 0x14000b108
GetFileType 0x14000b110
DeleteCriticalSection 0x14000b118
EncodePointer 0x14000b120
FlsGetValue 0x14000b128
FlsSetValue 0x14000b130
FlsFree 0x14000b138
SetLastError 0x14000b140
GetCurrentThreadId 0x14000b148
GetLastError 0x14000b150
FlsAlloc 0x14000b158
HeapSetInformation 0x14000b160
GetVersion 0x14000b168
HeapCreate 0x14000b170
QueryPerformanceCounter 0x14000b178
GetCurrentProcessId 0x14000b180
GetSystemTimeAsFileTime 0x14000b188
LeaveCriticalSection 0x14000b190
EnterCriticalSection 0x14000b198
LoadLibraryW 0x14000b1a0
GetCPInfo 0x14000b1a8
GetACP 0x14000b1b0
GetOEMCP 0x14000b1b8
IsValidCodePage 0x14000b1c0
HeapFree 0x14000b1c8
HeapSize 0x14000b1d0
LCMapStringW 0x14000b1d8
MultiByteToWideChar 0x14000b1e0
GetStringTypeW 0x14000b1e8
HeapAlloc 0x14000b1f0
HeapReAlloc 0x14000b1f8
Function Address Souspicious Anti Debug
MessageBoxW 0x14000b208