Analysis
-
max time kernel
90s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
OikClient10Setup.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
OikClient10Setup.exe
Resource
win10v2004-20220722-en
General
-
Target
OikClient10Setup.exe
-
Size
175.0MB
-
MD5
cfdc9285db6fecab812c16ef4c083af4
-
SHA1
338864806e3540e2baceb757090937810a261379
-
SHA256
9699d9988c3af5537eb02acc1b3aba06fec8ba2629f082cfa08b86348531ea9a
-
SHA512
abc1d08e851632c30fd7b164fd95e7d0790e9cab9bdf549998d49b574e2fc6a3dd8cce20caa4c81e4e2131ce9ef787697a6fc0c6fee4881a710d9128ea3519d1
Malware Config
Signatures
-
Loads dropped DLL 9 IoCs
Processes:
OikClient10Setup.exeMsiExec.exepid process 3884 OikClient10Setup.exe 3884 OikClient10Setup.exe 4492 MsiExec.exe 4492 MsiExec.exe 4492 MsiExec.exe 4492 MsiExec.exe 4492 MsiExec.exe 4492 MsiExec.exe 4492 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
OikClient10Setup.exemsiexec.exedescription ioc process File opened (read-only) \??\H: OikClient10Setup.exe File opened (read-only) \??\K: OikClient10Setup.exe File opened (read-only) \??\O: OikClient10Setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: OikClient10Setup.exe File opened (read-only) \??\I: OikClient10Setup.exe File opened (read-only) \??\L: OikClient10Setup.exe File opened (read-only) \??\V: OikClient10Setup.exe File opened (read-only) \??\W: OikClient10Setup.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: OikClient10Setup.exe File opened (read-only) \??\N: OikClient10Setup.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: OikClient10Setup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: OikClient10Setup.exe File opened (read-only) \??\F: OikClient10Setup.exe File opened (read-only) \??\P: OikClient10Setup.exe File opened (read-only) \??\Q: OikClient10Setup.exe File opened (read-only) \??\R: OikClient10Setup.exe File opened (read-only) \??\Y: OikClient10Setup.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: OikClient10Setup.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: OikClient10Setup.exe File opened (read-only) \??\S: OikClient10Setup.exe File opened (read-only) \??\Z: OikClient10Setup.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: OikClient10Setup.exe File opened (read-only) \??\U: OikClient10Setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: OikClient10Setup.exe File opened (read-only) \??\Y: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeOikClient10Setup.exedescription pid process Token: SeSecurityPrivilege 3452 msiexec.exe Token: SeCreateTokenPrivilege 3884 OikClient10Setup.exe Token: SeAssignPrimaryTokenPrivilege 3884 OikClient10Setup.exe Token: SeLockMemoryPrivilege 3884 OikClient10Setup.exe Token: SeIncreaseQuotaPrivilege 3884 OikClient10Setup.exe Token: SeMachineAccountPrivilege 3884 OikClient10Setup.exe Token: SeTcbPrivilege 3884 OikClient10Setup.exe Token: SeSecurityPrivilege 3884 OikClient10Setup.exe Token: SeTakeOwnershipPrivilege 3884 OikClient10Setup.exe Token: SeLoadDriverPrivilege 3884 OikClient10Setup.exe Token: SeSystemProfilePrivilege 3884 OikClient10Setup.exe Token: SeSystemtimePrivilege 3884 OikClient10Setup.exe Token: SeProfSingleProcessPrivilege 3884 OikClient10Setup.exe Token: SeIncBasePriorityPrivilege 3884 OikClient10Setup.exe Token: SeCreatePagefilePrivilege 3884 OikClient10Setup.exe Token: SeCreatePermanentPrivilege 3884 OikClient10Setup.exe Token: SeBackupPrivilege 3884 OikClient10Setup.exe Token: SeRestorePrivilege 3884 OikClient10Setup.exe Token: SeShutdownPrivilege 3884 OikClient10Setup.exe Token: SeDebugPrivilege 3884 OikClient10Setup.exe Token: SeAuditPrivilege 3884 OikClient10Setup.exe Token: SeSystemEnvironmentPrivilege 3884 OikClient10Setup.exe Token: SeChangeNotifyPrivilege 3884 OikClient10Setup.exe Token: SeRemoteShutdownPrivilege 3884 OikClient10Setup.exe Token: SeUndockPrivilege 3884 OikClient10Setup.exe Token: SeSyncAgentPrivilege 3884 OikClient10Setup.exe Token: SeEnableDelegationPrivilege 3884 OikClient10Setup.exe Token: SeManageVolumePrivilege 3884 OikClient10Setup.exe Token: SeImpersonatePrivilege 3884 OikClient10Setup.exe Token: SeCreateGlobalPrivilege 3884 OikClient10Setup.exe Token: SeCreateTokenPrivilege 3884 OikClient10Setup.exe Token: SeAssignPrimaryTokenPrivilege 3884 OikClient10Setup.exe Token: SeLockMemoryPrivilege 3884 OikClient10Setup.exe Token: SeIncreaseQuotaPrivilege 3884 OikClient10Setup.exe Token: SeMachineAccountPrivilege 3884 OikClient10Setup.exe Token: SeTcbPrivilege 3884 OikClient10Setup.exe Token: SeSecurityPrivilege 3884 OikClient10Setup.exe Token: SeTakeOwnershipPrivilege 3884 OikClient10Setup.exe Token: SeLoadDriverPrivilege 3884 OikClient10Setup.exe Token: SeSystemProfilePrivilege 3884 OikClient10Setup.exe Token: SeSystemtimePrivilege 3884 OikClient10Setup.exe Token: SeProfSingleProcessPrivilege 3884 OikClient10Setup.exe Token: SeIncBasePriorityPrivilege 3884 OikClient10Setup.exe Token: SeCreatePagefilePrivilege 3884 OikClient10Setup.exe Token: SeCreatePermanentPrivilege 3884 OikClient10Setup.exe Token: SeBackupPrivilege 3884 OikClient10Setup.exe Token: SeRestorePrivilege 3884 OikClient10Setup.exe Token: SeShutdownPrivilege 3884 OikClient10Setup.exe Token: SeDebugPrivilege 3884 OikClient10Setup.exe Token: SeAuditPrivilege 3884 OikClient10Setup.exe Token: SeSystemEnvironmentPrivilege 3884 OikClient10Setup.exe Token: SeChangeNotifyPrivilege 3884 OikClient10Setup.exe Token: SeRemoteShutdownPrivilege 3884 OikClient10Setup.exe Token: SeUndockPrivilege 3884 OikClient10Setup.exe Token: SeSyncAgentPrivilege 3884 OikClient10Setup.exe Token: SeEnableDelegationPrivilege 3884 OikClient10Setup.exe Token: SeManageVolumePrivilege 3884 OikClient10Setup.exe Token: SeImpersonatePrivilege 3884 OikClient10Setup.exe Token: SeCreateGlobalPrivilege 3884 OikClient10Setup.exe Token: SeCreateTokenPrivilege 3884 OikClient10Setup.exe Token: SeAssignPrimaryTokenPrivilege 3884 OikClient10Setup.exe Token: SeLockMemoryPrivilege 3884 OikClient10Setup.exe Token: SeIncreaseQuotaPrivilege 3884 OikClient10Setup.exe Token: SeMachineAccountPrivilege 3884 OikClient10Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
OikClient10Setup.exepid process 3884 OikClient10Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 3452 wrote to memory of 4492 3452 msiexec.exe MsiExec.exe PID 3452 wrote to memory of 4492 3452 msiexec.exe MsiExec.exe PID 3452 wrote to memory of 4492 3452 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OikClient10Setup.exe"C:\Users\Admin\AppData\Local\Temp\OikClient10Setup.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EEEC47F24753E46CA178DFFE2CEFA12C C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSIC034.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC034.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC296.tmpFilesize
540KB
MD5fa7b536cc7e5367d3be3311680bbd94e
SHA11201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542
-
C:\Users\Admin\AppData\Local\Temp\MSIC296.tmpFilesize
540KB
MD5fa7b536cc7e5367d3be3311680bbd94e
SHA11201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542
-
C:\Users\Admin\AppData\Local\Temp\MSIC354.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC354.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC374.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC374.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC3F2.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC3F2.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC422.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC422.tmpFilesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
C:\Users\Admin\AppData\Local\Temp\MSIC4EE.tmpFilesize
540KB
MD5fa7b536cc7e5367d3be3311680bbd94e
SHA11201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542
-
C:\Users\Admin\AppData\Local\Temp\MSIC4EE.tmpFilesize
540KB
MD5fa7b536cc7e5367d3be3311680bbd94e
SHA11201a2ab797507bf8e9b4e6c09ea0c6d4d62f271
SHA256f09c8e1a8bc1430a374d1fcd863934f2e2414cf41d6b08b40ec20b7171ed0282
SHA512e7ab0b2b19d393e503bdcf77135298086b569a1dc746b47a70bb79f6aac9a3460e25d8b47f8943d947fe25acfab35c3557430c431d964d16ada19700c8012542
-
C:\Users\Admin\AppData\Roaming\ООО «НТК Интерфейс»\Клиент10 «ОИК Диспетчер НТ» 22.9.67\install\decoder.dllFilesize
182KB
MD58b18209ce76d738254694ec221993906
SHA1c4b58dcde33331aef8879a2a5dca2c119a1a2827
SHA256355b570d6cf04050e92b939180aaad4f71a2e3050d8efe338bb277bb9d1eba1f
SHA51238b59e5af487272e045bbf363a91e55a09d50b1a14ce101789c85cd64f1579e82e872840da67c48f04783cf202713db1c11f01b2190724739a15d4b3de8f1724
-
C:\Users\Admin\AppData\Roaming\ООО «НТК Интерфейс»\Клиент10 «ОИК Диспетчер НТ» 22.9.67\install\decoder.dllFilesize
182KB
MD58b18209ce76d738254694ec221993906
SHA1c4b58dcde33331aef8879a2a5dca2c119a1a2827
SHA256355b570d6cf04050e92b939180aaad4f71a2e3050d8efe338bb277bb9d1eba1f
SHA51238b59e5af487272e045bbf363a91e55a09d50b1a14ce101789c85cd64f1579e82e872840da67c48f04783cf202713db1c11f01b2190724739a15d4b3de8f1724
-
memory/4492-134-0x0000000000000000-mapping.dmp