72aef4d4f2fe2f4efdd52202964e7ecf6ec9f3e9ca95c8ca27ac571c4405fd9a

General

Target

Ogtnuzcwp.exe
Size

191.5MB
MD5

b7942b563ef73b7df7f0abce7fc7290b
SHA1

339d4ef4a46aefc0aec231b5bbacd4cdb788706e
SHA256

72aef4d4f2fe2f4efdd52202964e7ecf6ec9f3e9ca95c8ca27ac571c4405fd9a
SHA512

4f8f892b19a9b457e97cf2cd5033188d68516d78eef61377e7df75290e9dc28f3e4d7780cc0e901ca80e55a5f293b3ffa279ed56997c1b376df8ccefed882ec5
SSDEEP

49152:BkQTA+pPOabdz+k/sYjI8IKJY/MNQqQUl1:BaPabdz+k/ELKJcsv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Hpyjpn\\Ogtnuzcwp.exe\","	Ogtnuzcwp.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	InstallUtil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Ogtnuzcwp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 3532	4556	Ogtnuzcwp.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	Ogtnuzcwp.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3532	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3360	4556	Ogtnuzcwp.exe	81
PID 4556 wrote to memory of 3360	4556	Ogtnuzcwp.exe	81
PID 4556 wrote to memory of 3360	4556	Ogtnuzcwp.exe	81
PID 3360 wrote to memory of 5036	3360	cmd.exe	83
PID 3360 wrote to memory of 5036	3360	cmd.exe	83
PID 3360 wrote to memory of 5036	3360	cmd.exe	83
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84
PID 4556 wrote to memory of 3532	4556	Ogtnuzcwp.exe	84

C:\Users\Admin\AppData\Local\Temp\Ogtnuzcwp.exe
"C:\Users\Admin\AppData\Local\Temp\Ogtnuzcwp.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - UAC bypass
  - Suspicious use of AdjustPrivilegeToken
  PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3360-137-0x0000000000000000-mapping.dmp

Download
memory/3532-146-0x0000000006BC0000-0x0000000006D82000-memory.dmp

Filesize
1.8MB

Download
memory/3532-149-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/3532-148-0x00000000072C0000-0x00000000077EC000-memory.dmp

Filesize
5.2MB

Download
memory/3532-142-0x0000000000000000-mapping.dmp

Download
memory/3532-147-0x0000000006A70000-0x0000000006AE6000-memory.dmp

Filesize
472KB

Download
memory/3532-143-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4556-133-0x0000000005700000-0x0000000005750000-memory.dmp

Filesize
320KB

Download
memory/4556-134-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4556-135-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/4556-136-0x0000000005D00000-0x0000000005D22000-memory.dmp

Filesize
136KB

Download
memory/4556-132-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/5036-139-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/5036-151-0x0000000070710000-0x000000007075C000-memory.dmp

Filesize
304KB

Download
memory/5036-144-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5036-141-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/5036-140-0x0000000005170000-0x0000000005798000-memory.dmp

Filesize
6.2MB

Download
memory/5036-138-0x0000000000000000-mapping.dmp

Download
memory/5036-150-0x00000000064E0000-0x0000000006512000-memory.dmp

Filesize
200KB

Download
memory/5036-145-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/5036-152-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/5036-153-0x0000000007870000-0x0000000007EEA000-memory.dmp

Filesize
6.5MB

Download
memory/5036-154-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/5036-155-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download
memory/5036-156-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/5036-157-0x0000000007450000-0x000000000745E000-memory.dmp

Filesize
56KB

Download
memory/5036-158-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/5036-159-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads