05a747f54188d9e72c3f582fef65b686885ff7fab849f129e1eadd9526867295

General

Target

OInstall.exe
Size

30.4MB
MD5

11002d91453bc60e8e581d24a21d0b58
SHA1

33767ec31bc367af24c44c30143f0f4966e1e2b2
SHA256

05a747f54188d9e72c3f582fef65b686885ff7fab849f129e1eadd9526867295
SHA512

0b628e060149b3473f4d9564c3eebbe4af1bd55b634676c9848d8137288f425bc8c856016b9a1cd7d11e8170c6ddcc3c343b33fb1fc2200b8d790a1f8965bbbe
SSDEEP

786432:2vRkdObGXYztqYMa0qGFPt7lgx+SSuiy2Qx7dH//q:gkd4zdMzqGJt7lgLSuiy2Qx7dH//q

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language

ps1

Source

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2432	powershell.exe
4	2824	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	files.dat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2696	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2560	files.dat

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	powershell.exe
2824	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	OInstall.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2996	OInstall.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2996	OInstall.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2548	2996	OInstall.exe	29
PID 2996 wrote to memory of 2548	2996	OInstall.exe	29
PID 2996 wrote to memory of 2548	2996	OInstall.exe	29
PID 2996 wrote to memory of 2548	2996	OInstall.exe	29
PID 2996 wrote to memory of 2616	2996	OInstall.exe	31
PID 2996 wrote to memory of 2616	2996	OInstall.exe	31
PID 2996 wrote to memory of 2616	2996	OInstall.exe	31
PID 2996 wrote to memory of 2616	2996	OInstall.exe	31
PID 2616 wrote to memory of 2560	2616	cmd.exe	33
PID 2616 wrote to memory of 2560	2616	cmd.exe	33
PID 2616 wrote to memory of 2560	2616	cmd.exe	33
PID 2616 wrote to memory of 2560	2616	cmd.exe	33
PID 2996 wrote to memory of 2432	2996	OInstall.exe	34
PID 2996 wrote to memory of 2432	2996	OInstall.exe	34
PID 2996 wrote to memory of 2432	2996	OInstall.exe	34
PID 2996 wrote to memory of 2432	2996	OInstall.exe	34
PID 2996 wrote to memory of 2824	2996	OInstall.exe	38
PID 2996 wrote to memory of 2824	2996	OInstall.exe	38
PID 2996 wrote to memory of 2824	2996	OInstall.exe	38
PID 2996 wrote to memory of 2824	2996	OInstall.exe	38

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ShowPush.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:2696

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\ver.txt') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -nop -c "$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData','C:\Users\Admin\AppData\Local\Temp\ver.txt')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RF2M0D4VZHHW94GD2EBX.temp

Filesize
7KB

MD5
5e4619038ffd1aa566cc6e6fdeda2b0f

SHA1
3a183e29e1e40155d1516d4a24916e5a90cf2eca

SHA256
105c9f0fda7a6314b123660b4de78b2fad2d4575cc560853d4d883595be3c2b3

SHA512
f50d3a3646bc36d841074a0051e58a907464fe0f9cb341e43ba7b6b2dc02b06146b8755cbca77842c298dd00a6d1b416d435a8eab57f76d47c749e32af0b008a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cedf9fb90f053c20051e231ca083ead5

SHA1
9f824102977b37a2eb5fa45d3a351acdcc079d01

SHA256
435bdd5696a37144caa747b7a58f644dc7da5961e26c53fee1ce0820e7495c3d

SHA512
5e4bf5753b454404d8fd8e9a5f38023191756b650fc0c0e0d2b0ecc62aeee4f5ebdadec4cf114307f7f53634b2e5ac008b1afb807e67414193b607dd0fa385bd

Download Submit
memory/2432-28-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-30-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-32-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2432-29-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2432-27-0x0000000074540000-0x0000000074AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-38-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-39-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2824-40-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-41-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-42-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2824-43-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/2824-45-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads