698aeb2888d4ed207eefb231937dfe3e9bbf8ceb0db6a961fe9010a2fddb8eb9

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 20:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

OInstall.exe
Size

11.6MB
MD5

405c0627a9dc679297862d62c712b05a
SHA1

66b33f9e5e9b517be3ae85d9a423129f272dc25a
SHA256

698aeb2888d4ed207eefb231937dfe3e9bbf8ceb0db6a961fe9010a2fddb8eb9
SHA512

bca6a39378cddd35e4ebe59c03d4ddb04826d1475d686e3e85350a18f6efc602d93548116f77e38cf3a998459d371e2241edc044836b585d87998b61c98fdf46
SSDEEP

196608:w3mifxMAExNyGUV9KhMqzFdhA1wREOVp5LpL2OcmmQ1L/sJ7GcI37lWhbX/PE56w:w3ffyH4V9KhMqzFdhyZOVp+OKe/+GR7R

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2252	files.dat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-133-0x0000000000400000-0x0000000001A63000-memory.dmp	upx
behavioral2/memory/4200-150-0x0000000000400000-0x0000000001A63000-memory.dmp	upx
behavioral2/memory/4200-152-0x0000000000400000-0x0000000001A63000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "15"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4824	LogonUI.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 2684	4200	OInstall.exe	84
PID 4200 wrote to memory of 2684	4200	OInstall.exe	84
PID 2684 wrote to memory of 2356	2684	cmd.exe	86
PID 2684 wrote to memory of 2356	2684	cmd.exe	86
PID 4200 wrote to memory of 1668	4200	OInstall.exe	88
PID 4200 wrote to memory of 1668	4200	OInstall.exe	88
PID 1668 wrote to memory of 2244	1668	cmd.exe	90
PID 1668 wrote to memory of 2244	1668	cmd.exe	90
PID 4200 wrote to memory of 2976	4200	OInstall.exe	91
PID 4200 wrote to memory of 2976	4200	OInstall.exe	91
PID 2976 wrote to memory of 2252	2976	cmd.exe	93
PID 2976 wrote to memory of 2252	2976	cmd.exe	93
PID 2976 wrote to memory of 2252	2976	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:2252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
memory/4200-133-0x0000000000400000-0x0000000001A63000-memory.dmp

Filesize
22.4MB

Download
memory/4200-150-0x0000000000400000-0x0000000001A63000-memory.dmp

Filesize
22.4MB

Download
memory/4200-152-0x0000000000400000-0x0000000001A63000-memory.dmp

Filesize
22.4MB

Download