7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1

General

Target

7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
Size

340KB
MD5

18d4875ce0fa0ce44ffd779ae0a1b853
SHA1

d9ed97665113df352c48dc8b40b7b69d2bb94f01
SHA256

7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1
SHA512

c4f6695ba465724423f31782a2619668ca6478f202948c20c446d4dad2ce59518e80ea60d070dba6613ea5b450d9388e745d182ba3849d378550c6e1c745b7ac
SSDEEP

6144:bTfFDbRnOTrAZJrK+AQmSXmHUcWerLrUNl8Y4PYsL9xiClw0ER:d5Ot+WWmBWerLUlMAQ9xBIR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4252	osiwsk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe

Loads dropped DLL 1 IoCs

pid	Process
4476	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\	regsvr32.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\opysub.vxd	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\opysub.vxd	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File created	C:\Program Files (x86)\Common Files\__tmp_rar_sfx_access_check_240566203	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File created	C:\Program Files (x86)\Common Files\opajtl.vxd	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\opajtl.vxd	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\osiwsk.dll	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File created	C:\Program Files (x86)\Common Files\bpwoa.bat	osiwsk.exe
File created	C:\Program Files (x86)\Common Files\osiwsk.exe	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\osiwsk.exe	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
File created	C:\Program Files (x86)\Common Files\osiwsk.dll	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet explorer\Main	osiwsk.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes\baidu	osiwsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\DisplayName = "°Ù¶ÈËÑË÷"	osiwsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\baidu\URL = "http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8"	osiwsk.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes	osiwsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "baidu"	osiwsk.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.135968.cn"	osiwsk.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\osiwsk.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\ProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	osiwsk.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	osiwsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.135968.cn"	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\osiwsk.metieot\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node	osiwsk.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\osiwsk.metieot	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\osiwsk.metieot\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\osiwsk.metieot\Clsid\ = "{D0ED4452-D5F4-4820-9F52-9EF81BD16266}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID	osiwsk.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	osiwsk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	osiwsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0ED4452-D5F4-4820-9F52-9EF81BD16266}\ProgID\ = "osiwsk.metieot"	regsvr32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4476	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	81
PID 2220 wrote to memory of 4476	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	81
PID 2220 wrote to memory of 4476	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	81
PID 2220 wrote to memory of 4252	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	82
PID 2220 wrote to memory of 4252	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	82
PID 2220 wrote to memory of 4252	2220	7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe	82
PID 4252 wrote to memory of 4796	4252	osiwsk.exe	83
PID 4252 wrote to memory of 4796	4252	osiwsk.exe	83
PID 4252 wrote to memory of 4796	4252	osiwsk.exe	83

C:\Users\Admin\AppData\Local\Temp\7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe
"C:\Users\Admin\AppData\Local\Temp\7c3e38b9bbd023d400af88b790bad9c41c6e215b2d6c8dd97234e1dc436892a1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s osiwsk.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4476
- C:\Program Files (x86)\Common Files\osiwsk.exe
  "C:\Program Files (x86)\Common Files\osiwsk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Common Files\bpwoa.bat""
    3⤵
    PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\bpwoa.bat

Filesize
136B

MD5
11d347c35955310fd44aa3d1e9c7153a

SHA1
8f49825836d60440be8b40eef88272ea321e5659

SHA256
ae4dd2365fca360a36f2f120241165325343b1039bbd2319617a06506d643842

SHA512
3f5b7724ea42b4720623f2710ca4d4a4054a91cdbb802cd083c36149bc76ee17d707e9a0a6b1c9ff0fdcb6fe50f58c9fab33ffffa2591da8ca48406e92524a55

Download Submit
C:\Program Files (x86)\Common Files\osiwsk.dll

Filesize
411KB

MD5
b9fce005c177df568f306d2e366db025

SHA1
b9363e124be6e841438425819a79a9f72cedf55c

SHA256
0b27866600dd80c5c7fdb5eedb7436b9e3a3450d0226683eb93843f39363dcda

SHA512
65a618cff26285962d9549e2666c834a1f8573f8b5a002add709135450311c1debac745bd9b9bfddf87ee9a3d20cc0cacd497759558cee471832b9c876852841

Download Submit
C:\Program Files (x86)\Common Files\osiwsk.dll

Filesize
411KB

MD5
b9fce005c177df568f306d2e366db025

SHA1
b9363e124be6e841438425819a79a9f72cedf55c

SHA256
0b27866600dd80c5c7fdb5eedb7436b9e3a3450d0226683eb93843f39363dcda

SHA512
65a618cff26285962d9549e2666c834a1f8573f8b5a002add709135450311c1debac745bd9b9bfddf87ee9a3d20cc0cacd497759558cee471832b9c876852841

Download Submit
C:\Program Files (x86)\Common Files\osiwsk.exe

Filesize
143KB

MD5
7179637fd53a65abf2436184c09efca9

SHA1
f70d2ffce6f5140c6fc3e043e6603cb742f138d0

SHA256
cd001bec1f02768c2f3d5c524acc3e31bd5d02360f605d5b0bf8ff749829ebc7

SHA512
449aadc7078c282e67cefe670f16b80399eb4b6657104fa9b1498d8cf92d5e7f290fcfbbbce1a773ac8083bb19ca1cbd6f4e5011b9ade4c16701f9883c704235

Download Submit
C:\Program Files (x86)\Common Files\osiwsk.exe

Filesize
143KB

MD5
7179637fd53a65abf2436184c09efca9

SHA1
f70d2ffce6f5140c6fc3e043e6603cb742f138d0

SHA256
cd001bec1f02768c2f3d5c524acc3e31bd5d02360f605d5b0bf8ff749829ebc7

SHA512
449aadc7078c282e67cefe670f16b80399eb4b6657104fa9b1498d8cf92d5e7f290fcfbbbce1a773ac8083bb19ca1cbd6f4e5011b9ade4c16701f9883c704235

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads