Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

WOMicClien..._2.exe

windows10-1703-x64

8

$PLUGINSDI...LL.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...gs.dll

windows10-1703-x64

3

driver/devcon.exe

windows10-1703-x64

1

Resubmissions

11/02/2024, 13:20

240211-qk9e5age2y 8

11/02/2024, 13:12

240211-qfmqkaae37 8

Analysis

  • max time kernel
    129s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/02/2024, 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WOMicClientSetup5_2.exe

  • Size

    1.4MB

  • MD5

    d8c68825b8a2cd1f00736b617240684c

  • SHA1

    7b68a0832785021e8883cec41606e60fa4a887e6

  • SHA256

    c7c7227a636b4c612cdf3f3d803be3ef1cf8f9aedad1c5d6620e0b9f6e0931a8

  • SHA512

    15f79655b8cfefa402aca135e900881b266f6de3f6f2ada63b59303c0a9efac0175fb253ed640a4cfc2888c5e6954ab24c7c54d4532ca56c3b0a90107af02b05

  • SSDEEP

    24576:Y12rpcEd5xQyaYXnCTZh5GYP7INP4w6ZtwZdsIAljoXHNAi7JYYDd+7PJms:QkzSy/nClDzBaZfuo3HYnPJd

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 54 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WOMicClientSetup5_2.exe
    "C:\Users\Admin\AppData\Local\Temp\WOMicClientSetup5_2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WOMic" profile=any dir=in action=allow program="C:\Program Files (x86)\WOMic\womicclient.exe" enable=yes protocol=UDP
      2⤵
      • Modifies Windows Firewall
      PID:2116
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WOMic" profile=any dir=in action=allow program="C:\Program Files (x86)\WOMic\womicclient.exe" enable=yes protocol=TCP
      2⤵
      • Modifies Windows Firewall
      PID:2304
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WOMic" profile=any dir=out action=allow program="C:\Program Files (x86)\WOMic\womicclient.exe" enable=yes protocol=UDP
      2⤵
      • Modifies Windows Firewall
      PID:3768
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WOMic" profile=any dir=out action=allow program="C:\Program Files (x86)\WOMic\womicclient.exe" enable=yes protocol=TCP
      2⤵
      • Modifies Windows Firewall
      PID:3872
    • C:\Program Files (x86)\WOMic\driver\devcon.exe
      devcon.exe install womic.inf Root\WOMic
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fb24a5cc-d63c-da4c-b094-b6a6c0f07555}\womic.inf" "9" "46d27e6e7" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\womic\driver"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:5004
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "womic.inf:ed86ca11fdcda04c:InstallWOMic:2.1.0.0:root\womic," "46d27e6e7" "0000000000000174"
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\WOMic\WOMicClient.exe
      Filesize

      158KB

      MD5

      26ba164873f020120e2267ac1cf16d43

      SHA1

      9d8d69bbe7f37d9e359dc24459f2160b677566fe

      SHA256

      9e07dbce584991a821ea7030bc8228271d1d2aa8ce3d4bf8f1d2309796d7ebcf

      SHA512

      6d60ebf347aab27579d47c9a6e34d5035e70ae8e189ddd71c451c92387fc857c30a8b1ddae51c6fe19ce29070e1911480d680e5477fa02caf5072162ab00fedd

      Download Submit

    • C:\Program Files (x86)\WOMic\driver\devcon.exe
      Filesize

      80KB

      MD5

      b9808a5cc368bd10a3a83af244285ac2

      SHA1

      ad3c0e42478a0d726b74925eb2a3c1d604bdcf3d

      SHA256

      7b76bac391c62c5884332bd606b6026aecba8ce57c919cc1f142ef2a052dbc08

      SHA512

      828e258a597b68e4a89a568a96beed71da32a0feb60dd6713ca2b1a25c2e534a83d93e6a29b7e4cb5e47658e14a1c23efab1f05d27c8e95af37d182428d863b7

      Download Submit

    • C:\Program Files (x86)\WOMic\driver\womic.inf
      Filesize

      5KB

      MD5

      c32cee4c141ee4c679211964c309dbef

      SHA1

      51719da535dd835d99cfbd07364622a52594846e

      SHA256

      8f2f3339a3cfd98742295b9c5864ce40922c1f6c783aaf70ce31a8defc720764

      SHA512

      8546859bb3afbd2a005a17b366bf0b0e5b8d5a8a8b927a2834e8464070d2a9c92885e16e1aa4b08e072dd268c3be275dbbb139b308580343ff28b96406dc6e84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nse6B5D.tmp\modern-wizard.bmp
      Filesize

      25KB

      MD5

      cbe40fd2b1ec96daedc65da172d90022

      SHA1

      366c216220aa4329dff6c485fd0e9b0f4f0a7944

      SHA256

      3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

      SHA512

      62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

      Download Submit

    • C:\Windows\System32\DriverStore\FileRepository\womic.inf_amd64_cdc23968b9b591e1\womic.PNF
      Filesize

      10KB

      MD5

      141bcbb6f6df884d8aa5fac8bace1b42

      SHA1

      09caf378a0c1c1573d845bd06d45dd628376bfd5

      SHA256

      31871073f3b8ac0dc9097e4fbe156d2608f417a463878cca5106801ab92c9eea

      SHA512

      a1ce24b86e28eaf9caac70cbf72320abdf7b3ac2b5edc172234ad46b8ee5a7ddf6c0cb32914fc707c4142aa88f622582b0327897bf3cf8f464b139423c3da864

      Download Submit

    • \??\c:\PROGRA~2\womic\driver\womic.sys
      Filesize

      49KB

      MD5

      dcf7f591c326a86495f8a6fd031f4e96

      SHA1

      fc1b06b1b9efec95e9d4907d8964a485e45ca4c3

      SHA256

      75f080f206ff0c13701ff66388c4a404529d9ec71b2ba0f1fadd4b71481c0475

      SHA512

      c0a4b5fd18fad13831885c257b46ba27451e8b89eff2089234b26b5330b093b9574f910857b1b95668d59ca98584db83b03c2481fa1b74074ff1afc0eddac806

      Download Submit

    • \??\c:\program files (x86)\womic\driver\womic.cat
      Filesize

      10KB

      MD5

      9a7ecc72e00b9e2dc24fd8d88c52ef38

      SHA1

      12d7457beb4945b9a7e89afc00fe560e3af737a8

      SHA256

      24ae3420b9ef53b55b6d5da957b11fdd526d35c28033fc967ea27155b374d200

      SHA512

      6a11bdd10d6a0b96e4d5ecbaa46c91c7e094855dc09728cd8f56c25debefa6bd4fbae7451047dfd5c8242007d9f7934771da346f0f5d602a56e0680f2409095e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse6B5D.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      174708997758321cf926b69318c6c3f5

      SHA1

      645488089bf320f6864e0d0bc284c85216e56fbd

      SHA256

      f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873

      SHA512

      214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse6B5D.tmp\System.dll
      Filesize

      11KB

      MD5

      0ff2d70cfdc8095ea99ca2dabbec3cd7

      SHA1

      10c51496d37cecd0e8a503a5a9bb2329d9b38116

      SHA256

      982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

      SHA512

      cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse6B5D.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      d6c3dd680c6467d07d730255d0ee5d87

      SHA1

      57e7a1d142032652256291b8ed2703b3dc1dfa9b

      SHA256

      aedb5122c12037bcf5c79c2197d1474e759cf47c67c37cdb21cf27428854a55b

      SHA512

      c28613d6d91c1f1f7951116f114da1c49e5f4994c855e522930bb4a8bdd73f12cadf1c6dcb84fc8d9f983ec60a40ac39522d3f86695e17ec88da4bd91c7b6a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse6B5D.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      01e76fe9d2033606a48d4816bd9c2d9d

      SHA1

      e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2

      SHA256

      ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70

      SHA512

      62ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0

      Download Submit