c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f

General

Target

ff7d3b6003c9058e40ae38a6a7efe40c.exe
Size

400KB
MD5

ff7d3b6003c9058e40ae38a6a7efe40c
SHA1

842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256

c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
SHA512

486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

Ogxog.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys Ogxog.exe
Executes dropped EXE 1 IoCs

Processes:

Ogxog.exe

pid process

1484 Ogxog.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1172 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

ff7d3b6003c9058e40ae38a6a7efe40c.exe

pid process

1724 ff7d3b6003c9058e40ae38a6a7efe40c.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	Ogxog.exe

pid	process
1172	cmd.exe

pid	process
1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ogxog.exe

description	ioc	process
File opened (read-only)	\??\G:	Ogxog.exe
File opened (read-only)	\??\I:	Ogxog.exe
File opened (read-only)	\??\L:	Ogxog.exe
File opened (read-only)	\??\N:	Ogxog.exe
File opened (read-only)	\??\R:	Ogxog.exe
File opened (read-only)	\??\U:	Ogxog.exe
File opened (read-only)	\??\V:	Ogxog.exe
File opened (read-only)	\??\E:	Ogxog.exe
File opened (read-only)	\??\M:	Ogxog.exe
File opened (read-only)	\??\P:	Ogxog.exe
File opened (read-only)	\??\T:	Ogxog.exe
File opened (read-only)	\??\Y:	Ogxog.exe
File opened (read-only)	\??\K:	Ogxog.exe
File opened (read-only)	\??\J:	Ogxog.exe
File opened (read-only)	\??\O:	Ogxog.exe
File opened (read-only)	\??\S:	Ogxog.exe
File opened (read-only)	\??\W:	Ogxog.exe
File opened (read-only)	\??\X:	Ogxog.exe
File opened (read-only)	\??\Z:	Ogxog.exe
File opened (read-only)	\??\B:	Ogxog.exe
File opened (read-only)	\??\H:	Ogxog.exe
File opened (read-only)	\??\Q:	Ogxog.exe
File opened (read-only)	\??\F:	Ogxog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ogxog.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ogxog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ogxog.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1976 PING.EXE

pid	process
1976	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

Ogxog.exe

pid	process
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe
1484	Ogxog.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Ogxog.exe

pid process

1484 Ogxog.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ff7d3b6003c9058e40ae38a6a7efe40c.exeOgxog.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe
Token: SeLoadDriverPrivilege	1484	Ogxog.exe
Token: 33	1484	Ogxog.exe
Token: SeIncBasePriorityPrivilege	1484	Ogxog.exe
Token: 33	1484	Ogxog.exe
Token: SeIncBasePriorityPrivilege	1484	Ogxog.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ff7d3b6003c9058e40ae38a6a7efe40c.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1484	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	Ogxog.exe
PID 1724 wrote to memory of 1172	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	cmd.exe
PID 1724 wrote to memory of 1172	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	cmd.exe
PID 1724 wrote to memory of 1172	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	cmd.exe
PID 1724 wrote to memory of 1172	1724	ff7d3b6003c9058e40ae38a6a7efe40c.exe	cmd.exe
PID 1172 wrote to memory of 1976	1172	cmd.exe	PING.EXE
PID 1172 wrote to memory of 1976	1172	cmd.exe	PING.EXE
PID 1172 wrote to memory of 1976	1172	cmd.exe	PING.EXE
PID 1172 wrote to memory of 1976	1172	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ff7d3b6003c9058e40ae38a6a7efe40c.exe
"C:\Users\Admin\AppData\Local\Temp\ff7d3b6003c9058e40ae38a6a7efe40c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\FF7D3B~1.EXE > nul
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe
MD5
ff7d3b6003c9058e40ae38a6a7efe40c

SHA1
842bbfb81f4a65112bc2d8e4aff8b976e5db9a55

SHA256
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f

SHA512
486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe
MD5
ff7d3b6003c9058e40ae38a6a7efe40c

SHA1
842bbfb81f4a65112bc2d8e4aff8b976e5db9a55

SHA256
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f

SHA512
486865a075b6d87187ea73ae2e76a7537f8fd63a6743adfbfc4225573e98187de4c397771061e92442fb868ab48df8cde4b9e4ebba2ef6d065456c8a4049ee98

Download Submit
memory/1172-7-0x0000000000000000-mapping.dmp

Download
memory/1484-4-0x0000000000000000-mapping.dmp

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1752-9-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

Filesize
2.5MB

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads