Overview

overview

10

Static

static

OQfFxsl.exe

windows7_x64

8

OQfFxsl.exe

windows7_x64

8

OQfFxsl.exe

windows7_x64

8

OQfFxsl.exe

windows11_x64

8

OQfFxsl.exe

windows10_x64

10

OQfFxsl.exe

windows10_x64

8

OQfFxsl.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    311s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21-10-2021 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OQfFxsl.exe

  • Size

    1.6MB

  • MD5

    44150395748c027ef5f8eed812f620b0

  • SHA1

    0d26c44e5e93a08da7504344498d3275ca11653e

  • SHA256

    144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f

  • SHA512

    5ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OQfFxsl.exe
    "C:\Users\Admin\AppData\Local\Temp\OQfFxsl.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
        PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Starne.mid
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^kXhUbWhdyiSzQwKWBBZJjppRDRvuTjJfOgrsoBnWshULiZzcvfBNflRwOcsFmuvSnDFCYzOqeeaZfbKDnwKEL$" Sorte.mid
            4⤵
              PID:880
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
              Nascondere.exe.com W
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com W
                5⤵
                • Executes dropped EXE
                • Drops startup file
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1876
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3472
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:1636
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 1473845e516de8a27a644a728640e6d9 QIua1VE8aEawD076wPkcgQ.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:772
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
        1⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:1540
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3664
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 1473845e516de8a27a644a728640e6d9 QIua1VE8aEawD076wPkcgQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:5092
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 1473845e516de8a27a644a728640e6d9 QIua1VE8aEawD076wPkcgQ.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:4592

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ambo.mid
          MD5

          e44fd575c6528190adc21c41297c7f0f

          SHA1

          4a834789bb3ddeea37cd30861a4c0bb639eeafed

          SHA256

          9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

          SHA512

          443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ami.mid
          MD5

          c2a501f010bf7b1c7a9777c3b93e19ef

          SHA1

          d00adfeb88b435786f32cf7f45c1aae141690600

          SHA256

          312d9b0380e5d8fd0bbee92b5d7f22a09b9278cbd7457777a08e2df5a859aff9

          SHA512

          2850ad61312adc4d059e62c7dfaebabaa74ac280773e24920b746a56884d8c490b1d5c6637d56c966ca284a9cd515330d38faff55cfe77a1bd11f54f2c82f6fd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com
          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
          MD5

          42ab6e035df99a43dbb879c86b620b91

          SHA1

          c6e116569d17d8142dbb217b1f8bfa95bc148c38

          SHA256

          53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

          SHA512

          2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
          MD5

          42ab6e035df99a43dbb879c86b620b91

          SHA1

          c6e116569d17d8142dbb217b1f8bfa95bc148c38

          SHA256

          53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

          SHA512

          2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorte.mid
          MD5

          ca6c6b8893411108280a0daf1a4d7d61

          SHA1

          b791c3cdec5711baafa7be643d2d9a0a10ae0835

          SHA256

          61b5e21e9798a8bf59a1c2e284d78d86706b4dc9bd6bef46bce54af95886bb46

          SHA512

          c0f8c6e6c08a96d6bc9b77af1f300d45b011faa606c85b6220b89d890692d200230c16a206fa6c94a5f9e1568eb10181199a0d6b80b94f80706a5cd00f4fdbcf

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Starne.mid
          MD5

          603011f56db8309b2d5c4ea0a1c57a47

          SHA1

          91ffdd8dbc6c5935c954f2764bec480ae32a1432

          SHA256

          5e4c34d70260f9bc2ce9f44b8fdef503667493f8d7c9d13b659da3b270a053f0

          SHA512

          b1d53112fb89fc755e3933e88bcabd1ce2a2aa0032c948530769d96d06ca066d106fcdf2127348e618c7aac8b24b21ddbbdbdfd5113a641dbcd2da217d9ebdbe

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
          MD5

          e44fd575c6528190adc21c41297c7f0f

          SHA1

          4a834789bb3ddeea37cd30861a4c0bb639eeafed

          SHA256

          9ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547

          SHA512

          443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f

          Download Submit
        • memory/880-150-0x0000000000000000-mapping.dmp
          Download
        • memory/1348-147-0x0000000000000000-mapping.dmp
          Download
        • memory/1432-153-0x0000000000000000-mapping.dmp
          Download
        • memory/1540-164-0x0000000000000000-mapping.dmp
          Download
        • memory/1636-155-0x0000000000000000-mapping.dmp
          Download
        • memory/1876-157-0x0000000000000000-mapping.dmp
          Download
        • memory/1876-166-0x0000000005260000-0x0000000005261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2432-162-0x000002561C120000-0x000002561C130000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2432-161-0x000002561BB70000-0x000002561BB80000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2432-163-0x000002561E850000-0x000002561E854000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2904-146-0x0000000000000000-mapping.dmp
          Download
        • memory/3472-175-0x0000000005790000-0x0000000005791000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-177-0x0000000006730000-0x0000000006731000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-183-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-173-0x0000000005DB0000-0x0000000005DB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-174-0x0000000005800000-0x0000000005801000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-165-0x0000000000000000-mapping.dmp
          Download
        • memory/3472-176-0x0000000005910000-0x0000000005911000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-167-0x0000000001180000-0x0000000001232000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3472-178-0x0000000006610000-0x0000000006611000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-179-0x0000000006690000-0x0000000006691000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-180-0x0000000006B90000-0x0000000006B91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3472-181-0x0000000005800000-0x0000000005DA6000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3472-182-0x0000000006A30000-0x0000000006A31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4800-149-0x0000000000000000-mapping.dmp
          Download