Overview

overview

10

Static

static

7

OInstall.exe

windows7-x64

7

OInstall.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    31/05/2023, 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OInstall.exe

  • Size

    10.9MB

  • MD5

    ebc58647462ad9c76395ef451064d115

  • SHA1

    14e470812f13b278b2694a4cec5737a39784e9dd

  • SHA256

    414155bf11893ec64ba0f4ffb7de92885090845a0761cf8f6743462aa5991d5e

  • SHA512

    8a9ef093d151957ae3c4c8e572fcdbd2198398c95ff8186d532853856c12c8f9ae7408c4f24518c5903faa517ea4e1d5779e797c5a4d850073fbee3ab801e8cc

  • SSDEEP

    196608:2ZnMGjZsDEsCaYsGEHy61bgUhufRswPU2/V8Gd83/PALDP0PiaQxhwf+9zYul28S:WnjZhsCOU6ZgfPPPuGdnv0fzfoDYtB

Score
10/10
upx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/55c44c35-878e-4c43-83ee-b666bf4261a4/Office/Data/v32.cab

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:644
    • C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4556
    • C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Local\Temp\files\files.dat
        files.dat -y -pkmsauto
        3⤵
        • Executes dropped EXE
        PID:3660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/55c44c35-878e-4c43-83ee-b666bf4261a4/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over326026\v32.cab') }"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1016
    • C:\Windows\SYSTEM32\expand.exe
      "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over326026
      2⤵
      • Drops file in Windows directory
      PID:3604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over326026\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x460 0x458
    1⤵
      PID:5064
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      PID:4580
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      PID:2204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      98ca3263bd17f6f4308b8e4ff7530958

      SHA1

      6f41bacd42af6a11bb8d1516f7b07171087e7a17

      SHA256

      d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

      SHA512

      f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yqeh4ql.rxr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\files\files.dat
      Filesize

      707KB

      MD5

      55d21b2c272a5d6b9f54fa9ed82bf9eb

      SHA1

      32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

      SHA256

      7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

      SHA512

      1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\files\files.dat
      Filesize

      707KB

      MD5

      55d21b2c272a5d6b9f54fa9ed82bf9eb

      SHA1

      32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

      SHA256

      7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

      SHA512

      1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\over326026\VersionDescriptor.xml
      Filesize

      1KB

      MD5

      8e9db5401e5ec135a3ad22291c40143a

      SHA1

      347f9f177733740ece88b1f5143188fc6b8240c4

      SHA256

      fe94467e0b812868ee236cea8ffb45ac46b8210debc385dd92a99e374a55216a

      SHA512

      49f89d10548c010934d6a70070e6e0804170613abb4a40a3a3dcd0e6e831c733b56a33b2faa4e5ef57705aa90bb866689b2b95ad97fe47a5c89471597510c2f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\over326026\v32.cab
      Filesize

      787B

      MD5

      89452d8ba7893a60c21c69ae4440489e

      SHA1

      680599bc741f0da176f217d04ecd48762f016dc4

      SHA256

      5bb259e5bf12476850a9834e0992a563691b43cd2474ad2f2958ddc0ee2614e6

      SHA512

      0aaf37dce9ba279890a494b4000082068a54eadc7a3721ae081b6f88d5a19c88645c61e550bd4d3bec39a4c86de337ee2d0d279e00fba382d0f67194973f7042

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\over326026\v32.txt
      Filesize

      1KB

      MD5

      0c5f79112e2bc5521b1dcf9c2ce1efe0

      SHA1

      3ec1d5cace5441c1c84ff03876244ad1f7e34b3e

      SHA256

      6f830aab3ce507b19bedde34f803a9dc9b00b59fdd7e3bbf89e7dc8740741992

      SHA512

      5e743ae3cead40396391c1a8803bd301f4c757598606db553ac66b3d8c966cfc444a5dbfb97a7a05399eda467ecdaf9fee02e8bf2c596ec5b61e25d5ff102e8c

      Download Submit

    • memory/868-155-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-156-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-206-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-150-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-151-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-175-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-152-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/868-133-0x0000000000400000-0x000000000199D000-memory.dmp

      Filesize

      21.6MB

      Download

    • memory/1016-174-0x000002662A630000-0x000002662A732000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1016-176-0x000002660FFC0000-0x000002660FFD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1016-177-0x000002660FFC0000-0x000002660FFD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1016-178-0x000002660FFC0000-0x000002660FFD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1016-162-0x000002662A390000-0x000002662A412000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1016-173-0x000002662A310000-0x000002662A320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1016-172-0x000002662A360000-0x000002662A382000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2548-199-0x0000028567B20000-0x0000028567B3E000-memory.dmp

      Filesize

      120KB

      Download