home

OneDrive.exe

Microsoft OneDrive

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable OneDrive.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘OneDrive’.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Microsoft OneDrive

Version:
17.3.6743.1212

MD5:
4206db04967cab282ea1ac8be34f7f67

SHA-1:
9b4436efc6000aee8327e9f4a71e859b1f965b00

SHA-256:
0b28253ea3894616a7ebb846843e89ad643b845f7df0adbe631d6f12d8ca36cf

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
4/26/2024 11:36:06 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Floxif.H virus
6.3.12010.0

F-Prot
W32/Floxif.B
4.6.5.141

File size:
1.5 MB (1,595,559 bytes)

Product version:
17.3.6743.1212

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
OneDrive.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\onedrive\onedrive.exe

File PE Metadata
Compilation timestamp:
12/13/2016 12:15:48 AM

OS version:
6.2

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.10

Entry address:
0x10F95

Entry point:
E9, 1A, 9B, 04, 00, E9, 75, FE, FF, FF, CC, CC, CC, CC, CC, E9, D6, 01, 00, 00, CC, CC, CC, CC, CC, FF, 35, CC, 4C, 46, 00, FF, 15, B4, 70, 46, 00, 85, C0, 74, 02, FF, D0, 6A, 01, 6A, 00, E8, F0, 32, 00, 00, 59, 59, E9, 0D, 33, 00, 00, CC, CC, CC, CC, CC, 55, 8B, EC, 83, EC, 10, EB, 0D, FF, 75, 08, E8, C7, 35, 00, 00, 59, 85, C0, 74, 11, FF, 75, 08, E8, 23, 35, 00, 00, 59, 85, C0, 74, E6, 8B, E5, 5D, C3, 6A, 01, 8D, 45, FC, C7, 45, FC, A4, 16, 40, 00, 50, 8D, 4D, F0, E8, 3C, 17, 00, 00, 68, 04, A2, 45, 00...
 
[+]

Packer / compiler:
Xtreme-Protector v1.05

Code size:
381 KB (390,144 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
OneDrive

Command:
"C:\users\{user}\appdata\local\microsoft\onedrive\onedrive.exe" \background


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to bn2ap002.device.ra.live.com  (40.77.228.74:443)

TCP (HTTP SSL):
Connects to bn2b-cor001.api.p001.1drv.com  (131.253.14.231:443)

TCP (HTTP SSL):
Connects to a-0011.a-msedge.net  (204.79.197.213:443)

TCP (HTTP SSL):
Connects to msnbot-65-52-108-217.search.msn.com  (65.52.108.217:443)

TCP (HTTP SSL):
Connects to bn3sch020022339.wns.windows.com  (65.52.108.237:443)

TCP (HTTP SSL):
Connects to by3301-g.1drv.com  (134.170.108.96:443)

TCP (HTTP SSL):
Connects to a23-44-86-230.deploy.static.akamaitechnologies.com  (23.44.86.230:443)

Remove OneDrive.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.