Analysis
-
max time kernel
60s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 06:48
General
-
Target
oxc.msi
-
Size
3.4MB
-
MD5
b1ae202dc4e66b9a125d28fe4680fe42
-
SHA1
f87422fa9ac8c2b52eb99f3616335c1484db8857
-
SHA256
c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2
-
SHA512
dede0c88db06c4912d0e57fcba472b522eb6a2d2bbca62f8616bfa3df6c93301486172b03992a6dfefda77f4a89711c70dcc89c1d78e79574a7122f1c57b5ac1
-
SSDEEP
98304:DpkchD0ow0KHR8h/YM9dWhX+Rdx42lfyZc4vOKl4:ecFBw00R8h/YMauRr42lY2
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 10 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\oxc.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9652C7FC340F54FCAD20D9DB57CFF1272⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-eca71443-d907-4e9a-84b7-71ce34581115\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "HomeDLL" /t REG_SZ /F /D "C:\Windows\SysWOW64\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\MW-eca71443-d907-4e9a-84b7-71ce34581115\files\elevate.exe"C:\Users\Admin\AppData\Local\Temp\MW-eca71443-d907-4e9a-84b7-71ce34581115\files\elevate.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" MAFWIKFNMUI9430.ocx, RunDllEntryPointW3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Roaming\WMProjectFiles&®.exe import info.txt4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg.exe import info.txt5⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}4⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXEC:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 3564⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-eca71443-d907-4e9a-84b7-71ce34581115\files"3⤵
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-eca71443-d907-4e9a-84b7-71ce34581115\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "0000000000000584"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD52f807297f7a507ae395dbad419499fe7
SHA1f6c3d7eb4ce30ac36ea14805a35c5d0e131af7a6
SHA256f2894b5e9cc70bdadd842ea5cce47539b9ebfbe7f1873626477168a698468978
SHA5129bc9e7a70a41c502833317506ddab8c723e76690346036da175e965ec85b72511b284e3cf1505be9a8ab8a6dc93834cacc8d1a26f5831846ab2bc4a9248c4d31
-
Filesize
3.1MB
MD57a969fb05e6382aa56fe5754e82fc179
SHA19f81731e391fadc79c170b4da2f01b21727e67be
SHA2561cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826
SHA512bc9926d8b073e0069caba3aba30302835ea90bc54d3cd7c284bacc08ad18f9523b13869c13b7e1861a77562a4e456f385067193fda5400eb79cfb9d3ac026069
-
Filesize
45KB
MD5f3260efd0b21dde6a808319149614ac7
SHA1c7aff49218b38624937742ac31854d77b086a55f
SHA2563c55e3e41d4b12815dc543ca653d3d22dd3466c604f47498f8661a29d4c0c44f
SHA5128d0602f072f12fe6a8fa73eabcc57712e95c72a4e32c144778b86d7b577b2cc1424e7dbf0e31bf6dc50787b25169dbe394d8c7d11e4fbffc96852dbb976e76cc
-
Filesize
7.9MB
MD5bd21b0b1a2448fe8017532d94561f4d9
SHA13a046d4893f0fe702fdd0023cb4366368afcfd40
SHA256759ae83bce7475dba576953992075942bcd6e1055e18555c9f9dfc81524107a2
SHA512dd97d88b422be7c6b89ee5aceee59b72996367564b00eadcd04d6fe9ca03265ecae016c5205f43448b76496ac154f61de9856f2c4eca408c034a8d521b64f00b
-
Filesize
116KB
MD5beeb28be4600b914647ef7cb8dbdda87
SHA1d36ce53c3703a2a438a253c9c90f71696fd0f909
SHA25625f473f312de5dab2f6f8959d46da75f0e9d14ce8741d5cdcc29b29889cc14b1
SHA51213de0290739236714b84c74f026e4a2614cf6cf2ab45c62397587eb7e56c2075f40c5a0d3ec4294b46b80582d623afd431b28e29b3a441bf4fa40892c2e5a05c
-
Filesize
382B
MD5f8a61828398efab5cbe2460ba7e117f4
SHA1ec383592b86089e12191978f0030c4389b3c1dab
SHA256359ed512526e038c4ac7305d99c395712421a71d72f73eb586e1c57ff9e20a62
SHA51270d4adc56ce66618266b0964ff61f2edd6418b8d1cc06f610ae6f70d52a286b0f63105694f438327f02d9ab2d5b33c3caa2dc5dcfd2ef7a6602f5218a01f72db
-
Filesize
1KB
MD52c44847f05c05b9d73f28a0207a1c21c
SHA1137183b31ce3a6d5117c4ebf96bdb34b177e1554
SHA2561e0e65c4e1669c0de3f2c60987582811c04c078ead79aa7388c75734eb2e6772
SHA512456899d7dc2528474ec04395543a7713710d2e0103b752fb05b8395cf3063a0dfa2dae024fdf4b145eb866abcb8cd260274905f96d249502e287f17aefc8eae5
-
Filesize
13.0MB
MD53cc34d74677bcf9088c5c4666923476e
SHA1429543d90147dd60525a3f76513eb1b22194bf56
SHA2569c0e4999fcc2629ff921cc903b4bb3718f5983698b1c82826ac8b4a78117180b
SHA5125162f8a100bb0a3d43da77e3393994907dbc7e332d5a57f535729ab7332ee15482508e13273bc649c043a8aca5465aaec2cdd6e5c227f45f1baa7afe01d7b3b5
-
Filesize
1KB
MD556a1ad1818fb3bd63db9c8c86d40884e
SHA189a599219c4017b88b097ddef64939c1ea2083a3
SHA256c8cb3dca3d91579f88e729e2a001869f0b4064246206a5be934834d77a831d56
SHA512757b4323be249c5b1196a4c75c4de4af91f0ae06e8a4a03d20b86db1f2f607ee756dcd04f8f55949948178685b586fe64c488e9bd72080d62bc84497fb415764
-
Filesize
1000B
MD5c63bd4cff6dd7c34e32c46d372fde002
SHA14590da674e9f87ba109ec64ebc18fe4e24c65032
SHA25601df3b4a70230a8eddd6334399f19864e218945adf2c42ce0c47f2be37482f18
SHA512d19a40a55bb39f25af4ea967083fbf721387a504bc10badab8c95ce890ab2102101732359b3d51ef48042712799628a63407f7856de6c4b04fa03d79cd0f7981
-
Filesize
1.3MB
MD5ecedc82a044dd6cce5e8dc1c811ea471
SHA111488750da5a36ca9bb531505fa55f789efc232a
SHA2568f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de
SHA512193c94332d49ba728a738e15b72a8c32bac2dca8909ff800bfa1f3136d91c9f0c9dee0cab748b4f3ad920d1c15ca62db5e50e313f99d1b8d580cc016a24ecf3d
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
7.9MB
MD5b818d9388d7e8da45758e5a479ff8cc5
SHA1d273dd3d22285821eb3263e2c0d61300cfddea24
SHA2569254ba70d1139214015fbe3dee7edc1c68aeb0993fec0bd6cb14c30aff318f5c
SHA51211322b5dac590f8812ba0217e096588aaf6c9c2a5ca52b52e92b4be99554437a96ad0afd6a942a075d840fe2cbb800a6d5f2c42793217bbc4aeb28755554a516
-
Filesize
7.9MB
-
Filesize
4KB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB
-
Filesize
13.0MB