Overview

overview

7

Static

static

1

oxc.msi

windows7-x64

7

oxc.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oxc.msi

  • Size

    3.4MB

  • MD5

    b1ae202dc4e66b9a125d28fe4680fe42

  • SHA1

    f87422fa9ac8c2b52eb99f3616335c1484db8857

  • SHA256

    c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2

  • SHA512

    dede0c88db06c4912d0e57fcba472b522eb6a2d2bbca62f8616bfa3df6c93301486172b03992a6dfefda77f4a89711c70dcc89c1d78e79574a7122f1c57b5ac1

  • SSDEEP

    98304:DpkchD0ow0KHR8h/YM9dWhX+Rdx42lfyZc4vOKl4:ecFBw00R8h/YMauRr42lY2

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\oxc.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4536
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 82959598D159390E288181B94578ADA6
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:3816
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4488
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "HomeDLL" /t REG_SZ /F /D "C:\Windows\SysWOW64\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}"
        3⤵
        • Adds Run key to start application
        PID:2028
      • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\elevate.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\elevate.exe"
        3⤵
        • Executes dropped EXE
        PID:4508
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" MAFWIKFNMUI9430.ocx, RunDllEntryPointW
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Roaming\WMProjectFiles&&reg.exe import info.txt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\reg.exe
            reg.exe import info.txt
            5⤵
            • Registers COM server for autorun
            • Modifies registry class
            PID:4628
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}
          4⤵
          • Suspicious use of SetThreadContext
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2400
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1268
          4⤵
          • Program crash
          PID:1956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files"
        3⤵
          PID:2788
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2896
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1240
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4312,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
      1⤵
        PID:2852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3144 -ip 3144
        1⤵
          PID:1276

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files.cab
          Filesize

          3.2MB

          MD5

          2f807297f7a507ae395dbad419499fe7

          SHA1

          f6c3d7eb4ce30ac36ea14805a35c5d0e131af7a6

          SHA256

          f2894b5e9cc70bdadd842ea5cce47539b9ebfbe7f1873626477168a698468978

          SHA512

          9bc9e7a70a41c502833317506ddab8c723e76690346036da175e965ec85b72511b284e3cf1505be9a8ab8a6dc93834cacc8d1a26f5831846ab2bc4a9248c4d31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\MAFWIKFNMUI9430.ocx
          Filesize

          3.1MB

          MD5

          7a969fb05e6382aa56fe5754e82fc179

          SHA1

          9f81731e391fadc79c170b4da2f01b21727e67be

          SHA256

          1cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826

          SHA512

          bc9926d8b073e0069caba3aba30302835ea90bc54d3cd7c284bacc08ad18f9523b13869c13b7e1861a77562a4e456f385067193fda5400eb79cfb9d3ac026069

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\Video01.mp4
          Filesize

          13.0MB

          MD5

          3cc34d74677bcf9088c5c4666923476e

          SHA1

          429543d90147dd60525a3f76513eb1b22194bf56

          SHA256

          9c0e4999fcc2629ff921cc903b4bb3718f5983698b1c82826ac8b4a78117180b

          SHA512

          5162f8a100bb0a3d43da77e3393994907dbc7e332d5a57f535729ab7332ee15482508e13273bc649c043a8aca5465aaec2cdd6e5c227f45f1baa7afe01d7b3b5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\WMFile01.tmp
          Filesize

          7.9MB

          MD5

          bd21b0b1a2448fe8017532d94561f4d9

          SHA1

          3a046d4893f0fe702fdd0023cb4366368afcfd40

          SHA256

          759ae83bce7475dba576953992075942bcd6e1055e18555c9f9dfc81524107a2

          SHA512

          dd97d88b422be7c6b89ee5aceee59b72996367564b00eadcd04d6fe9ca03265ecae016c5205f43448b76496ac154f61de9856f2c4eca408c034a8d521b64f00b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\elevate.exe
          Filesize

          116KB

          MD5

          beeb28be4600b914647ef7cb8dbdda87

          SHA1

          d36ce53c3703a2a438a253c9c90f71696fd0f909

          SHA256

          25f473f312de5dab2f6f8959d46da75f0e9d14ce8741d5cdcc29b29889cc14b1

          SHA512

          13de0290739236714b84c74f026e4a2614cf6cf2ab45c62397587eb7e56c2075f40c5a0d3ec4294b46b80582d623afd431b28e29b3a441bf4fa40892c2e5a05c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\files\info.txt
          Filesize

          1000B

          MD5

          c63bd4cff6dd7c34e32c46d372fde002

          SHA1

          4590da674e9f87ba109ec64ebc18fe4e24c65032

          SHA256

          01df3b4a70230a8eddd6334399f19864e218945adf2c42ce0c47f2be37482f18

          SHA512

          d19a40a55bb39f25af4ea967083fbf721387a504bc10badab8c95ce890ab2102101732359b3d51ef48042712799628a63407f7856de6c4b04fa03d79cd0f7981

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\msiwrapper.ini
          Filesize

          1022B

          MD5

          be42eb17417e4f99f0ce8bdcda1dab99

          SHA1

          ec74281d8e3cdf812212fb0ed56082134901b14a

          SHA256

          580fbc342f6d932951bc632e5bafc61d9ccbc3ba7a6cb3e635a04ac5d2c208f9

          SHA512

          210e516d31ab34867342adae4c0ca66a3a04849bd51095045f316c0e56acab0245f42075df10c2772516a69da5f88504b723e4825b6cc26fbb608c134d2a4a8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MW-ae949a59-eb89-44d4-8c32-5805f4cb09a1\msiwrapper.ini
          Filesize

          1KB

          MD5

          df019e5879a5a3e60211046118ef6196

          SHA1

          b35d3569da726535037a5bf1d81c8b073d322067

          SHA256

          2977eadf27e5fd33ba57d8ea3b9242297f7e7e2b1d5af12a743f56c0294fc2af

          SHA512

          b79bc85cd86b4bab8ced4df8a7c59ccefb18a21f9b7f5854dfe1b6035266f37bbb8e71c4211b2b25a95241f1f291f3064e2aac5eb848175b37e487017088292c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WMProjectFiles\Sound.mp3
          Filesize

          45KB

          MD5

          f3260efd0b21dde6a808319149614ac7

          SHA1

          c7aff49218b38624937742ac31854d77b086a55f

          SHA256

          3c55e3e41d4b12815dc543ca653d3d22dd3466c604f47498f8661a29d4c0c44f

          SHA512

          8d0602f072f12fe6a8fa73eabcc57712e95c72a4e32c144778b86d7b577b2cc1424e7dbf0e31bf6dc50787b25169dbe394d8c7d11e4fbffc96852dbb976e76cc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WMProjectFiles\info.txt
          Filesize

          1KB

          MD5

          56a1ad1818fb3bd63db9c8c86d40884e

          SHA1

          89a599219c4017b88b097ddef64939c1ea2083a3

          SHA256

          c8cb3dca3d91579f88e729e2a001869f0b4064246206a5be934834d77a831d56

          SHA512

          757b4323be249c5b1196a4c75c4de4af91f0ae06e8a4a03d20b86db1f2f607ee756dcd04f8f55949948178685b586fe64c488e9bd72080d62bc84497fb415764

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WMProjectFiles\soundtrack.ocx
          Filesize

          1.3MB

          MD5

          ecedc82a044dd6cce5e8dc1c811ea471

          SHA1

          11488750da5a36ca9bb531505fa55f789efc232a

          SHA256

          8f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de

          SHA512

          193c94332d49ba728a738e15b72a8c32bac2dca8909ff800bfa1f3136d91c9f0c9dee0cab748b4f3ad920d1c15ca62db5e50e313f99d1b8d580cc016a24ecf3d

          Download Submit

        • C:\Users\Public\Libraries\WMFile01.dll
          Filesize

          7.9MB

          MD5

          b818d9388d7e8da45758e5a479ff8cc5

          SHA1

          d273dd3d22285821eb3263e2c0d61300cfddea24

          SHA256

          9254ba70d1139214015fbe3dee7edc1c68aeb0993fec0bd6cb14c30aff318f5c

          SHA512

          11322b5dac590f8812ba0217e096588aaf6c9c2a5ca52b52e92b4be99554437a96ad0afd6a942a075d840fe2cbb800a6d5f2c42793217bbc4aeb28755554a516

          Download Submit

        • C:\Windows\Installer\MSI1817.tmp
          Filesize

          208KB

          MD5

          0c8921bbcc37c6efd34faf44cf3b0cb5

          SHA1

          dcfa71246157edcd09eecaf9d4c5e360b24b3e49

          SHA256

          fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

          SHA512

          ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          23.7MB

          MD5

          23433d1dcaa696b4afe0b9d68e24389e

          SHA1

          8f30504b3d2b7f8623d7adaacb1fcb1843ae846a

          SHA256

          861663a7f115280c3784f58d4c54044dbbc3cf246df9026b1438a18d5a36d5fe

          SHA512

          69a8a5ee30f0392f6307fa5097ce6a38a7dc24bd8b106f7e4e9f34aef1232122b768f58c5c815213789ef04dec449c0df0c8ec6defaec2021e66d94076d344d3

          Download Submit

        • \??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{90c5d58e-5627-40b3-877d-b6f22b18c7e9}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          2d0ad4903cd239307a26d52d7d738f1a

          SHA1

          7abb911c6e1cea61dc0b1ddd2452b14094b37850

          SHA256

          7b49840c0dfacbc7543416fcbd5ddd62053a39d1c97b7c4b31da7708b31f2f17

          SHA512

          05749cd3693d5466f02457fc0b7b8fb414ff12f7a0029e334964a710213030143c8f487f6ae73842ca6ef10beaed1319c73b3e686d196091e0c84f02d9440d4f

          Download Submit

        • memory/892-119-0x0000000003B10000-0x00000000042F2000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2400-137-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2400-133-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2400-131-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2400-141-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2400-153-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download

        • memory/2400-154-0x0000000000400000-0x00000000010FE000-memory.dmp

          Filesize

          13.0MB

          Download