76a645207432c896bbcfe7e4a8e5e25ad0744043ac5033b51ba530175c2e5f13

Analysis

max time kernel
27s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2023, 18:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OInstall.exe
Size

9.4MB
MD5

9ac925cba99361575b8fe996136fab48
SHA1

c902ab8103c49d395b5d13107d60447bcd964649
SHA256

76a645207432c896bbcfe7e4a8e5e25ad0744043ac5033b51ba530175c2e5f13
SHA512

ce2b5e1ab6fe2dec33bed7680dcddfe5cde423cf259a083f3b0a65e0bcef9d689f731a8f526324ae708a5018b914c5f7f2ce8d2f47f47150c502c20938d340c8
SSDEEP

196608:W15L5ZplnbxoEwjsv4uZkvr7jrmCDoN4AvG+0IZufrSS8AIcmY2d9UKbDqlZArtc:W15bnWEwjsvHZ+7/mYgWGuic2JmzAZKd

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3020	files.dat
2700	setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4532-132-0x0000000000400000-0x00000000017C5000-memory.dmp	upx
behavioral1/memory/4532-142-0x0000000000400000-0x00000000017C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: 36	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	setup.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 320	4532	OInstall.exe	81
PID 4532 wrote to memory of 320	4532	OInstall.exe	81
PID 320 wrote to memory of 4376	320	cmd.exe	83
PID 320 wrote to memory of 4376	320	cmd.exe	83
PID 4532 wrote to memory of 5056	4532	OInstall.exe	85
PID 4532 wrote to memory of 5056	4532	OInstall.exe	85
PID 5056 wrote to memory of 1680	5056	cmd.exe	87
PID 5056 wrote to memory of 1680	5056	cmd.exe	87
PID 4532 wrote to memory of 4620	4532	OInstall.exe	88
PID 4532 wrote to memory of 4620	4532	OInstall.exe	88
PID 4532 wrote to memory of 1656	4532	OInstall.exe	90
PID 4532 wrote to memory of 1656	4532	OInstall.exe	90
PID 1656 wrote to memory of 3020	1656	cmd.exe	92
PID 1656 wrote to memory of 3020	1656	cmd.exe	92
PID 1656 wrote to memory of 3020	1656	cmd.exe	92
PID 4532 wrote to memory of 3996	4532	OInstall.exe	100
PID 4532 wrote to memory of 3996	4532	OInstall.exe	100
PID 3996 wrote to memory of 2700	3996	cmd.exe	102
PID 3996 wrote to memory of 2700	3996	cmd.exe	102
PID 3996 wrote to memory of 2700	3996	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y
  2⤵
  PID:4620
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:3020
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c C:\Users\Admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\files\setup.exe
    C:\Users\Admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xml
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:2700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x2f8
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\files\Configure.xml

Filesize
305B

MD5
474611270d8180f928894697ca90d485

SHA1
8a7d6d369322b027674612f47bf7d55b45c6b36e

SHA256
915c65325318d56ba5fa264d4687b8cca35a194386cf7178c8a86dd61b9c3a8f

SHA512
cc7f9c681229af8cfc4afcc332eaf4557d0d7b3f5a4855c482518224689325b4b93d2b63212615b80533bc8921a125a9eca7fb2aa5a1985c7aecd41a581a6eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\setup.exe

Filesize
5.4MB

MD5
64b22215cca284010e9bf96eb5ae2f02

SHA1
65ca0d5558f8461efe3cb70bda1949bb78a2a811

SHA256
1542ed413c1d21ca7b5cde39ce4e0d4ee592de26a25a9868ece77b875a16639e

SHA512
9951f9e4817cf1fe7c53cc92acd7ac4d0d7621109ab9b204136523d21514a7964d2ecf89f13e3e6d881654e5e1b44606e70ab020125d2be2e2989dbecbb9fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\setup.exe

Filesize
5.4MB

MD5
64b22215cca284010e9bf96eb5ae2f02

SHA1
65ca0d5558f8461efe3cb70bda1949bb78a2a811

SHA256
1542ed413c1d21ca7b5cde39ce4e0d4ee592de26a25a9868ece77b875a16639e

SHA512
9951f9e4817cf1fe7c53cc92acd7ac4d0d7621109ab9b204136523d21514a7964d2ecf89f13e3e6d881654e5e1b44606e70ab020125d2be2e2989dbecbb9fd39

Download Submit
memory/4532-142-0x0000000000400000-0x00000000017C5000-memory.dmp

Filesize
19.8MB

Download
memory/4532-132-0x0000000000400000-0x00000000017C5000-memory.dmp

Filesize
19.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads