Overview
overview
6Static
static
3oofile_1.4...ll.dll
windows7-x64
1oofile_1.4...ll.dll
windows10-2004-x64
1oofile_1.4...ll.dll
windows7-x64
3oofile_1.4...ll.dll
windows10-2004-x64
3oofile_1.4...en.exe
windows7-x64
1oofile_1.4...en.exe
windows10-2004-x64
1oofile_1.4...le.exe
windows7-x64
6oofile_1.4...le.exe
windows10-2004-x64
3oofile_1.4.../1.asp
windows7-x64
3oofile_1.4.../1.asp
windows10-2004-x64
3oofile_1.4...g.html
windows7-x64
1oofile_1.4...g.html
windows10-2004-x64
1oofile_1.4...rid.js
windows7-x64
1oofile_1.4...rid.js
windows10-2004-x64
1oofile_1.4...ase.js
windows7-x64
1oofile_1.4...ase.js
windows10-2004-x64
1oofile_1.4...all.js
windows7-x64
1oofile_1.4...all.js
windows10-2004-x64
1oofile_1.4...ore.js
windows7-x64
1oofile_1.4...ore.js
windows10-2004-x64
1oofile_1.4...w.html
windows7-x64
1oofile_1.4...w.html
windows10-2004-x64
1oofile_1.4...veX.js
windows7-x64
1oofile_1.4...veX.js
windows10-2004-x64
1oofile_1.4...Int.js
windows7-x64
1oofile_1.4...Int.js
windows10-2004-x64
1oofile_1.4...nt2.js
windows7-x64
1oofile_1.4...nt2.js
windows10-2004-x64
1oofile_1.4...der.js
windows7-x64
1oofile_1.4...der.js
windows10-2004-x64
1oofile_1.4...enu.js
windows7-x64
1oofile_1.4...enu.js
windows10-2004-x64
1Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
oofile_1.47/FileTranDll.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
oofile_1.47/FileTranDll.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
oofile_1.47/JpgDll.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
oofile_1.47/JpgDll.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
oofile_1.47/ooScreen.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
oofile_1.47/ooScreen.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
oofile_1.47/oofile.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
oofile_1.47/oofile.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
oofile_1.47/viewer/1.asp
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
oofile_1.47/viewer/1.asp
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
oofile_1.47/viewer/ViewLog.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
oofile_1.47/viewer/ViewLog.html
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
oofile_1.47/viewer/XmlGrid.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
oofile_1.47/viewer/XmlGrid.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
oofile_1.47/viewer/ext-2.2.1/adapter/ext/ext-base.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
oofile_1.47/viewer/ext-2.2.1/adapter/ext/ext-base.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
oofile_1.47/viewer/ext-2.2.1/ext-all.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
oofile_1.47/viewer/ext-2.2.1/ext-all.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
oofile_1.47/viewer/ext-2.2.1/ext-core.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
oofile_1.47/viewer/ext-2.2.1/ext-core.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
oofile_1.47/viewer/htwin/p_OpenMoreWindow.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
oofile_1.47/viewer/htwin/p_OpenMoreWindow.html
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
oofile_1.47/viewer/js/ActiveX.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
oofile_1.47/viewer/js/ActiveX.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
oofile_1.47/viewer/js/BigInt.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral26
Sample
oofile_1.47/viewer/js/BigInt.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
oofile_1.47/viewer/js/BigInt2.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
oofile_1.47/viewer/js/BigInt2.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
oofile_1.47/viewer/js/SessionProvider.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
oofile_1.47/viewer/js/SessionProvider.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
oofile_1.47/viewer/js/TabCloseMenu.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
oofile_1.47/viewer/js/TabCloseMenu.js
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
oofile_1.47/oofile.exe
-
Size
256KB
-
MD5
c914296daf71a04ef114271500d8315b
-
SHA1
5046cddbd10683d478b70721ee472cc9ee70066a
-
SHA256
530075b0aa1716c3782b26ebaeb5d45735c6e7e97931a44a798510a5c47e0221
-
SHA512
7f9cf37deb570eb839c2d81a32828762e4884f6dd2d783582e82ef62dda9688ead765918fdae725a5b63dc1c0dc0072b37b4ed393a451248ecf1231aeaf6e3d5
-
SSDEEP
3072:cRCTg1Y3ZaYhuXAmgRp9ZFd5d2YGdpxHdXSKJLUQNLdZXARuLlnrzlLiVl:oqZ5ufcFFd5d2FIU5WuZnli
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oofile = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\oofile.exe -h" oofile.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 oofile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main oofile.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch oofile.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" oofile.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\TypeLib\ = "{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo.1\ = "HostInfo Class" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07D1FA7A-925A-478C-B771-321852587289}\TypeLib\Version = "1.0" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07D1FA7A-925A-478C-B771-321852587289}\TypeLib\ = "{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C} oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\ProgID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\ProgID\ = "FileTranDll.Client.1" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ = "Connection Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo.1\CLSID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494} oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}\VersionIndependentProgID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\ = "Client Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection\CurVer oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\Programmable oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ProxyStubClsid32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ = "IConnection" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server.1 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1\CLSID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}\1.0\HELPDIR\ oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\ = "Server Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection\CLSID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1\CLSID\ = "{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\VersionIndependentProgID\ = "w_exployer.RcSend" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\TypeLib oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\Version = "1.0" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2} oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}\InprocServer32\ThreadingModel = "Both" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07D1FA7A-925A-478C-B771-321852587289}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo\CurVer oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C09B0011-6B92-4FFB-BCC3-5AE3716B09CB}\Programmable oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07D1FA7A-925A-478C-B771-321852587289}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\InprocServer32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\w_exployer.dll" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\TypeLib\ = "{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\TypeLib\Version = "1.0" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ProgID\ = "FileTranDll.Connection.1" oofile.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\Programmable oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}\1.0\ = "Filemax 1.0 Right Click" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\InprocServer32\ThreadingModel = "Apartment" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend.1 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend\ = "RcSend Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\CLSID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\FileTranDll.dll" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\FileTranDll.dll" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681} oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\HELPDIR oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.YSysTray\CurVer oofile.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe 1948 oofile.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1948 oofile.exe 1948 oofile.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\oofile_1.47\oofile.exe"C:\Users\Admin\AppData\Local\Temp\oofile_1.47\oofile.exe"1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
370B
MD50f5712d99f428e49ede8f5278be4f1d0
SHA17b9bae009c897a5a6e8f0c16b038b5c2b0cf8b14
SHA256f6fb283e4dcedd30579edf37cb241498186d79131e37a1919f0dcd3216c1bcb2
SHA5122793f5cf7512ed690f7d5456b40e5bbe727c0c23590b6e05ac00df9991980e62e29d71073b9398578fb310e7f276ae4ceec6a2688f26997895c5f7c6bab7df01