Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-02-2021 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ff7d3b6003c9058e40ae38a6a7efe40c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ff7d3b6003c9058e40ae38a6a7efe40c.exe
Resource
win10v20201028
General
-
Target
ff7d3b6003c9058e40ae38a6a7efe40c.exe
-
Size
400KB
-
MD5
ff7d3b6003c9058e40ae38a6a7efe40c
-
SHA1
842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
-
SHA256
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
-
SHA512
486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
Ogxog.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Ogxog.exe -
Executes dropped EXE 1 IoCs
Processes:
Ogxog.exepid process 1484 Ogxog.exe -
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1172 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ff7d3b6003c9058e40ae38a6a7efe40c.exepid process 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Ogxog.exedescription ioc process File opened (read-only) \??\G: Ogxog.exe File opened (read-only) \??\I: Ogxog.exe File opened (read-only) \??\L: Ogxog.exe File opened (read-only) \??\N: Ogxog.exe File opened (read-only) \??\R: Ogxog.exe File opened (read-only) \??\U: Ogxog.exe File opened (read-only) \??\V: Ogxog.exe File opened (read-only) \??\E: Ogxog.exe File opened (read-only) \??\M: Ogxog.exe File opened (read-only) \??\P: Ogxog.exe File opened (read-only) \??\T: Ogxog.exe File opened (read-only) \??\Y: Ogxog.exe File opened (read-only) \??\K: Ogxog.exe File opened (read-only) \??\J: Ogxog.exe File opened (read-only) \??\O: Ogxog.exe File opened (read-only) \??\S: Ogxog.exe File opened (read-only) \??\W: Ogxog.exe File opened (read-only) \??\X: Ogxog.exe File opened (read-only) \??\Z: Ogxog.exe File opened (read-only) \??\B: Ogxog.exe File opened (read-only) \??\H: Ogxog.exe File opened (read-only) \??\Q: Ogxog.exe File opened (read-only) \??\F: Ogxog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ogxog.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ogxog.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Ogxog.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Ogxog.exepid process 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe 1484 Ogxog.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Ogxog.exepid process 1484 Ogxog.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ff7d3b6003c9058e40ae38a6a7efe40c.exeOgxog.exedescription pid process Token: SeIncBasePriorityPrivilege 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Token: SeLoadDriverPrivilege 1484 Ogxog.exe Token: 33 1484 Ogxog.exe Token: SeIncBasePriorityPrivilege 1484 Ogxog.exe Token: 33 1484 Ogxog.exe Token: SeIncBasePriorityPrivilege 1484 Ogxog.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ff7d3b6003c9058e40ae38a6a7efe40c.execmd.exedescription pid process target process PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1484 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe Ogxog.exe PID 1724 wrote to memory of 1172 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe cmd.exe PID 1724 wrote to memory of 1172 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe cmd.exe PID 1724 wrote to memory of 1172 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe cmd.exe PID 1724 wrote to memory of 1172 1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe cmd.exe PID 1172 wrote to memory of 1976 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1976 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1976 1172 cmd.exe PING.EXE PID 1172 wrote to memory of 1976 1172 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff7d3b6003c9058e40ae38a6a7efe40c.exe"C:\Users\Admin\AppData\Local\Temp\ff7d3b6003c9058e40ae38a6a7efe40c.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\FF7D3B~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exeMD5
ff7d3b6003c9058e40ae38a6a7efe40c
SHA1842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA512486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exeMD5
ff7d3b6003c9058e40ae38a6a7efe40c
SHA1842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA512486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98
-
memory/1172-7-0x0000000000000000-mapping.dmp
-
memory/1484-4-0x0000000000000000-mapping.dmp
-
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1752-9-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmpFilesize
2.5MB
-
memory/1976-8-0x0000000000000000-mapping.dmp