c5d72882d52181b2d08d2effd354b51042aade239139780a6dd0bcfd62fd6752

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/OWInstaller.exe
Size

297KB
MD5

cb0fdec0351bd03406e5c9b09840fa46
SHA1

590d08d87583dbf3d96633e8805d9113ae7639bc
SHA256

178c77481ea427cc4c61a65c7c01c8c22bdd2652d73111ad7cac733375c6a2cc
SHA512

961fc5de32ef8e309e94a78471f48d37291334508d15d515e53623e94deb50ac4899ea36ba9688d15a2ffa1e755a51de9e2e1f9e3e2716a29778c0fe33ef3c63
SSDEEP

6144:3M4vsZuOH4vfyMwvQwEPUI7V09b4qoSIm9t06232IL9plahcv:3M4vsYO3EPrJkoSN0TLl

Score

5^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	OWInstaller.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DxDiag.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DxDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DxDiag.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	DxDiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{61116D1F-DB36-4FE7-B3AC-E1449B9D2EB4}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	DxDiag.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1216	OWInstaller.exe
3912	DxDiag.exe
3912	DxDiag.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	OWInstaller.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1216	OWInstaller.exe
1216	OWInstaller.exe
1216	OWInstaller.exe
3912	DxDiag.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3912	1216	OWInstaller.exe	84
PID 1216 wrote to memory of 3912	1216	OWInstaller.exe	84

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\DxDiag.exe
  "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
  2⤵
  - Drops file in System32 directory
  - Registers COM server for autorun
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2024-02-13_02-31_1216.log

Filesize
462B

MD5
a186d9088f3a2dc183ce7536be1578c2

SHA1
1bcfba549f79fb95ee051ba2c8df56e2372f9ce2

SHA256
14c756448ab9804e23363228c30ba923117a46bdcbb87ac5b6a7ae06cc6b263c

SHA512
86848e009d2aab5a0022d2206648852ffd6195cac8d6a6f54ca01193529a3a942bde030516e39be1f5ddc220df6f3fdc94827b1cb7a5bdd07924a0c08ffe519f

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
9a5f055b7388319a1a4ffe4d0d9357a6

SHA1
1c7608755b62f0e546957c4d7e2fb5cda2a0755f

SHA256
512fde409459c2eeaf37a11c65f632fb6f421b53f56653c2b2c0e37f1a2b76b0

SHA512
1590b48129d88bcec01914546541fccf5a32fd6e719bbc7374fdac74a84d21753ca20861d06e5c38508a92fe30d6946db37d440120b7197e28c965b65ae19f35

Download Submit
memory/1216-44-0x000002DC610D0000-0x000002DC610E0000-memory.dmp

Filesize
64KB

Download
memory/1216-40-0x000002DC7A3A0000-0x000002DC7A3C2000-memory.dmp

Filesize
136KB

Download
memory/1216-4-0x000002DC61050000-0x000002DC61096000-memory.dmp

Filesize
280KB

Download
memory/1216-5-0x000002DC610D0000-0x000002DC610E0000-memory.dmp

Filesize
64KB

Download
memory/1216-6-0x000002DC610A0000-0x000002DC610B8000-memory.dmp

Filesize
96KB

Download
memory/1216-2-0x000002DC79E70000-0x000002DC7A398000-memory.dmp

Filesize
5.2MB

Download
memory/1216-14-0x000002DC7A450000-0x000002DC7A500000-memory.dmp

Filesize
704KB

Download
memory/1216-79-0x00007FFD7DBA0000-0x00007FFD7E661000-memory.dmp

Filesize
10.8MB

Download
memory/1216-49-0x000002E47D3A0000-0x000002E47DB46000-memory.dmp

Filesize
7.6MB

Download
memory/1216-43-0x000002DC610D0000-0x000002DC610E0000-memory.dmp

Filesize
64KB

Download
memory/1216-3-0x00007FFD7DBA0000-0x00007FFD7E661000-memory.dmp

Filesize
10.8MB

Download
memory/1216-0-0x000002DC5F2C0000-0x000002DC5F30C000-memory.dmp

Filesize
304KB

Download
memory/1216-1-0x000002DC798A0000-0x000002DC7993E000-memory.dmp

Filesize
632KB

Download
memory/3912-53-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-54-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-60-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-59-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-58-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-61-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-62-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-64-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-63-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download
memory/3912-52-0x000001E8867E0000-0x000001E8867E1000-memory.dmp

Filesize
4KB

Download