032047765ebff1201661d8a518b3df0f15e88ca7c3dc265fd96b5c03bb3cd234

Sharing

Copy URL

Twitter E-mail

General

Target

OPMW_Installer.exe
Size

19.3MB
Sample

240316-gfsr5sfa38
MD5

b2bcc9009f92666313ed7f15134c3161
SHA1

151e69e2af82caea9c2c1ea396d4df6767cc27ee
SHA256

032047765ebff1201661d8a518b3df0f15e88ca7c3dc265fd96b5c03bb3cd234
SHA512

e3ff635871301042a1bf55ce6de93d0a64890320cd22cd0c28349c7be25c7922cc5906f3f8ba6da9d084ce5b30a28982d70b4b56643f9c54d650de06630e70d9
SSDEEP

393216:k+HAGUBy4dzc9owHuZWWgKo1lQ8GdpjWWUzQJCR3cxYTdzvYk4JUJbGU30IDXH0y:kP9mOZTgKQlQjBU9zTdMkl04X

Score

9^/10

discovery ransomware

Malware Config

Targets

- Target
  
  OPMW_Installer.exe
- Size
  
  19.3MB
- MD5
  
  b2bcc9009f92666313ed7f15134c3161
- SHA1
  
  151e69e2af82caea9c2c1ea396d4df6767cc27ee
- SHA256
  
  032047765ebff1201661d8a518b3df0f15e88ca7c3dc265fd96b5c03bb3cd234
- SHA512
  
  e3ff635871301042a1bf55ce6de93d0a64890320cd22cd0c28349c7be25c7922cc5906f3f8ba6da9d084ce5b30a28982d70b4b56643f9c54d650de06630e70d9
- SSDEEP
  
  393216:k+HAGUBy4dzc9owHuZWWgKo1lQ8GdpjWWUzQJCR3cxYTdzvYk4JUJbGU30IDXH0y:kP9mOZTgKQlQjBU9zTdMkl04X
Score

9^/10

discovery ransomware
- Renames multiple (828) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/BgWorker.dll
- Size
  
  2KB
- MD5
  
  33ec04738007e665059cf40bc0f0c22b
- SHA1
  
  4196759a922e333d9b17bda5369f14c33cd5e3bc
- SHA256
  
  50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
- SHA512
  
  2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef
Score

3^/10
behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  cff85c549d536f651d4fb8387f1976f2
- SHA1
  
  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
- SHA256
  
  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
- SHA512
  
  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
- SSDEEP
  
  192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score

3^/10
behavioral3
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  6c3f8c94d0727894d706940a8a980543
- SHA1
  
  0d1bcad901be377f38d579aafc0c41c0ef8dcefd
- SHA256
  
  56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
- SHA512
  
  2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
- SSDEEP
  
  96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
Score

3^/10
behavioral4
- Target
  
  $PLUGINSDIR/nsWmInstallerPlugin.dll
- Size
  
  13.2MB
- MD5
  
  c4068b4cb9bf1a7a4e85cde0505f3d4a
- SHA1
  
  06c274f8f7c41f960b5f3cd708cf5f63c3834963
- SHA256
  
  45ab2d9e569fe852506c448af349ef58bb85bb0c26e6963d50d070421c3dc2a0
- SHA512
  
  0d10c262f110aa8f0cf7ac2458cb23f9b77dad4946680dfc2454879c46fe94b8edcddfeddfe3314e37300dd17b9bfd51fe969cecd5f18db46fb28a12eb6e8c98
- SSDEEP
  
  393216:YkSUpIQEStajDy1SbSdSjs0YBUPK5TAHAGUByRR:4UpOq8+2sfBUy5TeR
Score

3^/10
behavioral5
- Target
  
  $PLUGINSDIR/nsis7z.dll
- Size
  
  438KB
- MD5
  
  e11da6f1d0b07caf3df6ea25ed444616
- SHA1
  
  8b7f3ac385e04d25988998d36b890e1f426ffd52
- SHA256
  
  689e0e89b413b7977ee51bfb932f2a7955826c2d186d3bdabacab46189a54421
- SHA512
  
  881330dc1566047a50cc8b84eeb2d33248b76ee0b825af0463db5151bc9d1f58c8269f894443efd51fa9611241ae40dea310afc33ad835ff5e2e165fe829c06b
- SSDEEP
  
  6144:HUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+P0zqibcklgaa/:Hn5QEG39fPAkrE4yrBOXDfdNbck2am
Score

3^/10
behavioral6
- Target
  
  WmGpLaunchSetupFiles.7z
- Size
  
  9.7MB
- MD5
  
  42485fbb709a3431d65d398f584d1a1a
- SHA1
  
  f21bbe0d5ae09878650ffcf2f799cde03a914744
- SHA256
  
  82e43a1aaaeb722797573ed74ecc2b19667482153f089d00991631d2d659d0a5
- SHA512
  
  b98cdeedce64e53121fff0afef9b71e406008d220db4badda1bdb0fe41f12fbe8198e6558541f353da0dd304dd72194c140dd287a6496ae205fd2748f9826b36
- SSDEEP
  
  196608:mxqhM6TRIDsIEuV1dF8Nb0OuClKxieivI0IAQtSOS5n:txRIVNEh0OB8xis0Swn
Score

3^/10
behavioral7
- Target
  
  OPMNA/Config/Config.ini
- Size
  
  1KB
- MD5
  
  2859bbbe548be102b6cd54c7fa4c7624
- SHA1
  
  3c7b96aa9177df1054ba8d32af4eced866c888bb
- SHA256
  
  7eb83bd3803cb2ec6af2b579c7a09de5fa4da4db01ba3eae67ebb66ff18c696b
- SHA512
  
  1c6625a3f18cf5424a96200a68f67416337a39b3d7e06ccaca09b7c894ad53645b917e10601975d3ebfd38b7d255aef566bcd16eba2f727e2bb794024b911777
Score

3^/10
behavioral8
- Target
  
  OPMNA/Config/game/zh_cn/game_1000137.cfg
- Size
  
  2KB
- MD5
  
  c2b6125bde0baa09b195ba91af11fd90
- SHA1
  
  20707887a75ef462278eb10a430019a48ce56994
- SHA256
  
  9aef92d6b3d5025d8697fd33938ee376633eb1decffe919f280951e870a29a0f
- SHA512
  
  f17f21d973c6bc669a88dc9761c35212e0efbd3c4649cab06f6c6054d25d23491789f013652e5767888c5ef88c4ea4cdb02aa6d0f268e74eab129259773bad67
Score

3^/10
behavioral9
- Target
  
  OPMNA/OPMNALauncher.exe
- Size
  
  523KB
- MD5
  
  b4245946a2ea075b4c98f2ac2b25294d
- SHA1
  
  aab77b8dca57979d02cedf2ee5bee29b38da4294
- SHA256
  
  db924428049ca0d2bbf136f517419a6f9f538174b6c423b6e9dbb1ce31f8c9ac
- SHA512
  
  da170c71968031a2602e99cb74810cccd3ef46ade620d519c5eeebb65500950fe2f884af38860176456b479af258665e81ad130432f302129587ddc96aa8fb2a
- SSDEEP
  
  12288:kJ5AWJVU1ujOcuDtaBtdxMq5ztLQUpr9YDo42BkJcCDH+6uPXfVskgTYbg8upGy4:kJlV0udjdtBsxDo42BkJcCDHUPXfVtgI
Score

9^/10

ransomware
- Renames multiple (828) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10
- Target
  
  OPMNA/OPMNAUpdate.exe
- Size
  
  1.6MB
- MD5
  
  3f41f849356dfe2a69e3dd8ef36ad014
- SHA1
  
  e4b7d3358d9d411eb7a1d856fc2d1bca79558219
- SHA256
  
  c6ee5192e82c300fa187863d9d141cb9f28f4ad5a48503bf680d3a5e061a0abd
- SHA512
  
  bc953d3bffe68deaf27e3e1b5648cf28673e3ee9d3116701178d40c99f0ec8711a865d0ccaaed3243392e7bc12680707b9c96e5a3a66ed69ba43d538be5a143f
- SSDEEP
  
  49152:xzgYo/SlqhYTUHz6gaZ4T5tDo42BkJcCDHUPfVtgTYbg8upGyH8iB:1gYo/SlqhYoz6gto42BkJcCDH6fVtgTL
Score

9^/10

ransomware
- Renames multiple (828) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11
- Target
  
  OPMNA/peFlag.exe
- Size
  
  149KB
- MD5
  
  89a1817246eece6d084faec432e51131
- SHA1
  
  fa671db46927eea00e216a93cba7a0f4a36615a9
- SHA256
  
  fae9ba71444b966d76df871249ff102dc7e95784203ec11ef11552253c33a89b
- SHA512
  
  4da0aa70515866257976327c52875cbc920a227401224bcbb377fa3c1de108e20d7904e244db97ad9b2be4b64c3cf3a07b2befddebb3ad5d967433d62f6542b2
- SSDEEP
  
  3072:o+XcjIcmUyR32Nc7RFZAC7MRcXn5c8waf0bVFWBkndmJQri:o+Xfcm1REcxAC7/aWCnMJyi
Score

1^/10
behavioral12
- Target
  
  OPMNALauncher.exe
- Size
  
  523KB
- MD5
  
  b4245946a2ea075b4c98f2ac2b25294d
- SHA1
  
  aab77b8dca57979d02cedf2ee5bee29b38da4294
- SHA256
  
  db924428049ca0d2bbf136f517419a6f9f538174b6c423b6e9dbb1ce31f8c9ac
- SHA512
  
  da170c71968031a2602e99cb74810cccd3ef46ade620d519c5eeebb65500950fe2f884af38860176456b479af258665e81ad130432f302129587ddc96aa8fb2a
- SSDEEP
  
  12288:kJ5AWJVU1ujOcuDtaBtdxMq5ztLQUpr9YDo42BkJcCDH+6uPXfVskgTYbg8upGy4:kJlV0udjdtBsxDo42BkJcCDHUPXfVtgI
Score

9^/10

ransomware
- Renames multiple (828) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  uninst.exe
- Size
  
  9.3MB
- MD5
  
  9cd5039945bd4772bebc020df04e96cb
- SHA1
  
  e18c8f67daa873804ccc6597bc61fd425aa4f1a7
- SHA256
  
  ada6dc0a2b4e0961e0ef10034bc547352a69e4f8b25ecad342eb834f3b3de519
- SHA512
  
  3cfc40aa0190912fcb842b3715f732d691922a4dcbc4bc9f2f14ee21832c9d4d9a73999d423a9b8f6bc656864166c48ee8353c192a49ac638b3802d2d084e90f
- SSDEEP
  
  196608:i3HAGUupGyp6tTGFiJhjoYVWFZubtKsIL21BfZhRaJKV1A93Jc:i3HAGUByqGFY0HUtKja1BBaRZc
Score

4^/10
behavioral14
- Target
  
  $PLUGINSDIR/BgWorker.dll
- Size
  
  2KB
- MD5
  
  33ec04738007e665059cf40bc0f0c22b
- SHA1
  
  4196759a922e333d9b17bda5369f14c33cd5e3bc
- SHA256
  
  50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
- SHA512
  
  2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef
Score

3^/10
behavioral15
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  6c3f8c94d0727894d706940a8a980543
- SHA1
  
  0d1bcad901be377f38d579aafc0c41c0ef8dcefd
- SHA256
  
  56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
- SHA512
  
  2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
- SSDEEP
  
  96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
Score

3^/10
behavioral16
- Target
  
  $PLUGINSDIR/nsWmInstallerPlugin.dll
- Size
  
  13.2MB
- MD5
  
  c4068b4cb9bf1a7a4e85cde0505f3d4a
- SHA1
  
  06c274f8f7c41f960b5f3cd708cf5f63c3834963
- SHA256
  
  45ab2d9e569fe852506c448af349ef58bb85bb0c26e6963d50d070421c3dc2a0
- SHA512
  
  0d10c262f110aa8f0cf7ac2458cb23f9b77dad4946680dfc2454879c46fe94b8edcddfeddfe3314e37300dd17b9bfd51fe969cecd5f18db46fb28a12eb6e8c98
- SSDEEP
  
  393216:YkSUpIQEStajDy1SbSdSjs0YBUPK5TAHAGUByRR:4UpOq8+2sfBUy5TeR
Score

3^/10
behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Renames multiple (828) files with added filename extension

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Renames multiple (828) files with added filename extension

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Renames multiple (828) files with added filename extension

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Renames multiple (828) files with added filename extension

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17