Analysis
-
max time kernel
175s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14-04-2022 12:59
Behavioral task
behavioral1
Sample
opengl installer.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
opengl installer.exe
-
Size
252KB
-
MD5
ad987dd8602b2b78090a08f73212a7a0
-
SHA1
4cc227c83d1403a29c2f68ef0afe12725e0dc996
-
SHA256
5a2ab897c8f8d779118f7e29f018796913274a8e6d7d815955c028bd9a576360
-
SHA512
248f94693dd0ee2514f900a1d68356179e971c29ca625fb499aab6dc7767dedcf452dfa9ccc571c06cb2cbdd32798d7451bbc4a917014b5147e22ffdec3bd47d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
opengl installer.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\msdcsc.exe" opengl installer.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 5076 msdcsc.exe -
Processes:
resource yara_rule behavioral2/files/0x0009000000021e39-125.dat upx behavioral2/files/0x0009000000021e39-126.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
opengl installer.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation opengl installer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
opengl installer.exemsdcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\msdcsc.exe" opengl installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
opengl installer.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 432 opengl installer.exe Token: SeSecurityPrivilege 432 opengl installer.exe Token: SeTakeOwnershipPrivilege 432 opengl installer.exe Token: SeLoadDriverPrivilege 432 opengl installer.exe Token: SeSystemProfilePrivilege 432 opengl installer.exe Token: SeSystemtimePrivilege 432 opengl installer.exe Token: SeProfSingleProcessPrivilege 432 opengl installer.exe Token: SeIncBasePriorityPrivilege 432 opengl installer.exe Token: SeCreatePagefilePrivilege 432 opengl installer.exe Token: SeBackupPrivilege 432 opengl installer.exe Token: SeRestorePrivilege 432 opengl installer.exe Token: SeShutdownPrivilege 432 opengl installer.exe Token: SeDebugPrivilege 432 opengl installer.exe Token: SeSystemEnvironmentPrivilege 432 opengl installer.exe Token: SeChangeNotifyPrivilege 432 opengl installer.exe Token: SeRemoteShutdownPrivilege 432 opengl installer.exe Token: SeUndockPrivilege 432 opengl installer.exe Token: SeManageVolumePrivilege 432 opengl installer.exe Token: SeImpersonatePrivilege 432 opengl installer.exe Token: SeCreateGlobalPrivilege 432 opengl installer.exe Token: 33 432 opengl installer.exe Token: 34 432 opengl installer.exe Token: 35 432 opengl installer.exe Token: 36 432 opengl installer.exe Token: SeIncreaseQuotaPrivilege 5076 msdcsc.exe Token: SeSecurityPrivilege 5076 msdcsc.exe Token: SeTakeOwnershipPrivilege 5076 msdcsc.exe Token: SeLoadDriverPrivilege 5076 msdcsc.exe Token: SeSystemProfilePrivilege 5076 msdcsc.exe Token: SeSystemtimePrivilege 5076 msdcsc.exe Token: SeProfSingleProcessPrivilege 5076 msdcsc.exe Token: SeIncBasePriorityPrivilege 5076 msdcsc.exe Token: SeCreatePagefilePrivilege 5076 msdcsc.exe Token: SeBackupPrivilege 5076 msdcsc.exe Token: SeRestorePrivilege 5076 msdcsc.exe Token: SeShutdownPrivilege 5076 msdcsc.exe Token: SeDebugPrivilege 5076 msdcsc.exe Token: SeSystemEnvironmentPrivilege 5076 msdcsc.exe Token: SeChangeNotifyPrivilege 5076 msdcsc.exe Token: SeRemoteShutdownPrivilege 5076 msdcsc.exe Token: SeUndockPrivilege 5076 msdcsc.exe Token: SeManageVolumePrivilege 5076 msdcsc.exe Token: SeImpersonatePrivilege 5076 msdcsc.exe Token: SeCreateGlobalPrivilege 5076 msdcsc.exe Token: 33 5076 msdcsc.exe Token: 34 5076 msdcsc.exe Token: 35 5076 msdcsc.exe Token: 36 5076 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 5076 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
opengl installer.exemsdcsc.exedescription pid Process procid_target PID 432 wrote to memory of 5076 432 opengl installer.exe 82 PID 432 wrote to memory of 5076 432 opengl installer.exe 82 PID 432 wrote to memory of 5076 432 opengl installer.exe 82 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83 PID 5076 wrote to memory of 4568 5076 msdcsc.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\opengl installer.exe"C:\Users\Admin\AppData\Local\Temp\opengl installer.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5ad987dd8602b2b78090a08f73212a7a0
SHA14cc227c83d1403a29c2f68ef0afe12725e0dc996
SHA2565a2ab897c8f8d779118f7e29f018796913274a8e6d7d815955c028bd9a576360
SHA512248f94693dd0ee2514f900a1d68356179e971c29ca625fb499aab6dc7767dedcf452dfa9ccc571c06cb2cbdd32798d7451bbc4a917014b5147e22ffdec3bd47d
-
Filesize
252KB
MD5ad987dd8602b2b78090a08f73212a7a0
SHA14cc227c83d1403a29c2f68ef0afe12725e0dc996
SHA2565a2ab897c8f8d779118f7e29f018796913274a8e6d7d815955c028bd9a576360
SHA512248f94693dd0ee2514f900a1d68356179e971c29ca625fb499aab6dc7767dedcf452dfa9ccc571c06cb2cbdd32798d7451bbc4a917014b5147e22ffdec3bd47d