Overview

overview

7

Static

static

1

oxc.msi

windows7-x64

7

oxc.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oxc.msi

  • Size

    3.4MB

  • MD5

    b1ae202dc4e66b9a125d28fe4680fe42

  • SHA1

    f87422fa9ac8c2b52eb99f3616335c1484db8857

  • SHA256

    c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2

  • SHA512

    dede0c88db06c4912d0e57fcba472b522eb6a2d2bbca62f8616bfa3df6c93301486172b03992a6dfefda77f4a89711c70dcc89c1d78e79574a7122f1c57b5ac1

  • SSDEEP

    98304:DpkchD0ow0KHR8h/YM9dWhX+Rdx42lfyZc4vOKl4:ecFBw00R8h/YMauRr42lY2

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\oxc.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1808
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 315224CF515E711700A1815676D92427
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1612
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1228
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "HomeDLL" /t REG_SZ /F /D "C:\Windows\SysWOW64\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}"
        3⤵
        • Adds Run key to start application
        PID:2108
      • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\elevate.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\elevate.exe"
        3⤵
        • Executes dropped EXE
        PID:2532
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" MAFWIKFNMUI9430.ocx, RunDllEntryPointW
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Roaming\WMProjectFiles&&reg.exe import info.txt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\reg.exe
            reg.exe import info.txt
            5⤵
            • Registers COM server for autorun
            • Modifies registry class
            PID:1852
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}
          4⤵
          • Suspicious use of SetThreadContext
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 356
          4⤵
          • Program crash
          PID:1144
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1280
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000004CC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files.cab
    Filesize

    3.2MB

    MD5

    2f807297f7a507ae395dbad419499fe7

    SHA1

    f6c3d7eb4ce30ac36ea14805a35c5d0e131af7a6

    SHA256

    f2894b5e9cc70bdadd842ea5cce47539b9ebfbe7f1873626477168a698468978

    SHA512

    9bc9e7a70a41c502833317506ddab8c723e76690346036da175e965ec85b72511b284e3cf1505be9a8ab8a6dc93834cacc8d1a26f5831846ab2bc4a9248c4d31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\MAFWIKFNMUI9430.ocx
    Filesize

    3.1MB

    MD5

    7a969fb05e6382aa56fe5754e82fc179

    SHA1

    9f81731e391fadc79c170b4da2f01b21727e67be

    SHA256

    1cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826

    SHA512

    bc9926d8b073e0069caba3aba30302835ea90bc54d3cd7c284bacc08ad18f9523b13869c13b7e1861a77562a4e456f385067193fda5400eb79cfb9d3ac026069

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\Sound.mp3
    Filesize

    45KB

    MD5

    f3260efd0b21dde6a808319149614ac7

    SHA1

    c7aff49218b38624937742ac31854d77b086a55f

    SHA256

    3c55e3e41d4b12815dc543ca653d3d22dd3466c604f47498f8661a29d4c0c44f

    SHA512

    8d0602f072f12fe6a8fa73eabcc57712e95c72a4e32c144778b86d7b577b2cc1424e7dbf0e31bf6dc50787b25169dbe394d8c7d11e4fbffc96852dbb976e76cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\Video01.mp4
    Filesize

    13.0MB

    MD5

    3cc34d74677bcf9088c5c4666923476e

    SHA1

    429543d90147dd60525a3f76513eb1b22194bf56

    SHA256

    9c0e4999fcc2629ff921cc903b4bb3718f5983698b1c82826ac8b4a78117180b

    SHA512

    5162f8a100bb0a3d43da77e3393994907dbc7e332d5a57f535729ab7332ee15482508e13273bc649c043a8aca5465aaec2cdd6e5c227f45f1baa7afe01d7b3b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\WMFile01.tmp
    Filesize

    7.9MB

    MD5

    bd21b0b1a2448fe8017532d94561f4d9

    SHA1

    3a046d4893f0fe702fdd0023cb4366368afcfd40

    SHA256

    759ae83bce7475dba576953992075942bcd6e1055e18555c9f9dfc81524107a2

    SHA512

    dd97d88b422be7c6b89ee5aceee59b72996367564b00eadcd04d6fe9ca03265ecae016c5205f43448b76496ac154f61de9856f2c4eca408c034a8d521b64f00b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\elevate.exe
    Filesize

    116KB

    MD5

    beeb28be4600b914647ef7cb8dbdda87

    SHA1

    d36ce53c3703a2a438a253c9c90f71696fd0f909

    SHA256

    25f473f312de5dab2f6f8959d46da75f0e9d14ce8741d5cdcc29b29889cc14b1

    SHA512

    13de0290739236714b84c74f026e4a2614cf6cf2ab45c62397587eb7e56c2075f40c5a0d3ec4294b46b80582d623afd431b28e29b3a441bf4fa40892c2e5a05c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\files\info.txt
    Filesize

    1000B

    MD5

    c63bd4cff6dd7c34e32c46d372fde002

    SHA1

    4590da674e9f87ba109ec64ebc18fe4e24c65032

    SHA256

    01df3b4a70230a8eddd6334399f19864e218945adf2c42ce0c47f2be37482f18

    SHA512

    d19a40a55bb39f25af4ea967083fbf721387a504bc10badab8c95ce890ab2102101732359b3d51ef48042712799628a63407f7856de6c4b04fa03d79cd0f7981

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-1c09dd7e-4b28-447f-8c46-b88dda8c9738\msiwrapper.ini
    Filesize

    1KB

    MD5

    dc282a393ee3b3af7518e176917ace30

    SHA1

    cd1fd9306614b9a770ad8047a2d7ed0218040c90

    SHA256

    b108571afe16d7045c3e29fd3ae12829753c97adb5941e75518493b17f82cefe

    SHA512

    6b6344b16c1e1ca7276c8e0c63d37493f5e2b4677838ca8c21565f71bf589e42193d89c7a925ca852ddd92c6162beee022f72bdf3de2a1edfcd07d0e353d3cea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WMProjectFiles\info.txt
    Filesize

    1KB

    MD5

    56a1ad1818fb3bd63db9c8c86d40884e

    SHA1

    89a599219c4017b88b097ddef64939c1ea2083a3

    SHA256

    c8cb3dca3d91579f88e729e2a001869f0b4064246206a5be934834d77a831d56

    SHA512

    757b4323be249c5b1196a4c75c4de4af91f0ae06e8a4a03d20b86db1f2f607ee756dcd04f8f55949948178685b586fe64c488e9bd72080d62bc84497fb415764

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WMProjectFiles\soundtrack.ocx
    Filesize

    1.3MB

    MD5

    ecedc82a044dd6cce5e8dc1c811ea471

    SHA1

    11488750da5a36ca9bb531505fa55f789efc232a

    SHA256

    8f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de

    SHA512

    193c94332d49ba728a738e15b72a8c32bac2dca8909ff800bfa1f3136d91c9f0c9dee0cab748b4f3ad920d1c15ca62db5e50e313f99d1b8d580cc016a24ecf3d

    Download Submit

  • C:\Windows\Installer\MSI3302.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit

  • \Users\Public\Libraries\WMFile01.dll
    Filesize

    7.9MB

    MD5

    b818d9388d7e8da45758e5a479ff8cc5

    SHA1

    d273dd3d22285821eb3263e2c0d61300cfddea24

    SHA256

    9254ba70d1139214015fbe3dee7edc1c68aeb0993fec0bd6cb14c30aff318f5c

    SHA512

    11322b5dac590f8812ba0217e096588aaf6c9c2a5ca52b52e92b4be99554437a96ad0afd6a942a075d840fe2cbb800a6d5f2c42793217bbc4aeb28755554a516

    Download Submit

  • memory/2404-118-0x00000000033D0000-0x0000000003BB2000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/3068-136-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-133-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-131-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-130-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-140-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-144-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-164-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/3068-165-0x0000000000400000-0x00000000010FE000-memory.dmp

    Filesize

    13.0MB

    Download