Overview

overview

7

Static

static

1

oxc.msi

windows7-x64

7

oxc.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    66s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oxc.msi

  • Size

    3.4MB

  • MD5

    b1ae202dc4e66b9a125d28fe4680fe42

  • SHA1

    f87422fa9ac8c2b52eb99f3616335c1484db8857

  • SHA256

    c6de06a61756dc3b5d4ee71674d4132971fb7ed8db7b2e504905f23571ed7bf2

  • SHA512

    dede0c88db06c4912d0e57fcba472b522eb6a2d2bbca62f8616bfa3df6c93301486172b03992a6dfefda77f4a89711c70dcc89c1d78e79574a7122f1c57b5ac1

  • SSDEEP

    98304:DpkchD0ow0KHR8h/YM9dWhX+Rdx42lfyZc4vOKl4:ecFBw00R8h/YMauRr42lY2

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\oxc.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1760
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4212
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AB5C6B21AF2D33BF471444240A3915C9
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:4812
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3108
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "HomeDLL" /t REG_SZ /F /D "C:\Windows\SysWOW64\rundll32 /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}"
        3⤵
        • Adds Run key to start application
        PID:3688
      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\elevate.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\elevate.exe"
        3⤵
        • Executes dropped EXE
        PID:916
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" MAFWIKFNMUI9430.ocx, RunDllEntryPointW
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Roaming\WMProjectFiles&&reg.exe import info.txt
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\reg.exe
            reg.exe import info.txt
            5⤵
            • Registers COM server for autorun
            • Modifies registry class
            PID:4636
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" /sta {AAE802DB-FB67-4407-A175-61223EFF30D4}
          4⤵
          • Suspicious use of SetThreadContext
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            C:\Users\Admin\AppData\Roaming\ProductConfigurations\WINDBVERS.EXE
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1372
          4⤵
          • Program crash
          PID:4508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files"
        3⤵
          PID:4320
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2272
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2064 -ip 2064
      1⤵
        PID:4692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files.cab
        Filesize

        3.2MB

        MD5

        2f807297f7a507ae395dbad419499fe7

        SHA1

        f6c3d7eb4ce30ac36ea14805a35c5d0e131af7a6

        SHA256

        f2894b5e9cc70bdadd842ea5cce47539b9ebfbe7f1873626477168a698468978

        SHA512

        9bc9e7a70a41c502833317506ddab8c723e76690346036da175e965ec85b72511b284e3cf1505be9a8ab8a6dc93834cacc8d1a26f5831846ab2bc4a9248c4d31

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\MAFWIKFNMUI9430.ocx
        Filesize

        3.1MB

        MD5

        7a969fb05e6382aa56fe5754e82fc179

        SHA1

        9f81731e391fadc79c170b4da2f01b21727e67be

        SHA256

        1cbb6ed84195d88da51de5ecf1fd06815d10b582942fb92266b34ceb5f77e826

        SHA512

        bc9926d8b073e0069caba3aba30302835ea90bc54d3cd7c284bacc08ad18f9523b13869c13b7e1861a77562a4e456f385067193fda5400eb79cfb9d3ac026069

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\Video01.mp4
        Filesize

        13.0MB

        MD5

        3cc34d74677bcf9088c5c4666923476e

        SHA1

        429543d90147dd60525a3f76513eb1b22194bf56

        SHA256

        9c0e4999fcc2629ff921cc903b4bb3718f5983698b1c82826ac8b4a78117180b

        SHA512

        5162f8a100bb0a3d43da77e3393994907dbc7e332d5a57f535729ab7332ee15482508e13273bc649c043a8aca5465aaec2cdd6e5c227f45f1baa7afe01d7b3b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\WMFile01.tmp
        Filesize

        7.9MB

        MD5

        bd21b0b1a2448fe8017532d94561f4d9

        SHA1

        3a046d4893f0fe702fdd0023cb4366368afcfd40

        SHA256

        759ae83bce7475dba576953992075942bcd6e1055e18555c9f9dfc81524107a2

        SHA512

        dd97d88b422be7c6b89ee5aceee59b72996367564b00eadcd04d6fe9ca03265ecae016c5205f43448b76496ac154f61de9856f2c4eca408c034a8d521b64f00b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\files\elevate.exe
        Filesize

        116KB

        MD5

        beeb28be4600b914647ef7cb8dbdda87

        SHA1

        d36ce53c3703a2a438a253c9c90f71696fd0f909

        SHA256

        25f473f312de5dab2f6f8959d46da75f0e9d14ce8741d5cdcc29b29889cc14b1

        SHA512

        13de0290739236714b84c74f026e4a2614cf6cf2ab45c62397587eb7e56c2075f40c5a0d3ec4294b46b80582d623afd431b28e29b3a441bf4fa40892c2e5a05c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\msiwrapper.ini
        Filesize

        382B

        MD5

        eade41273099d6e0dd25d39a8f0f5466

        SHA1

        2e5e5ac18f772f387ec3df79f940932a98461c92

        SHA256

        ab91d60bc7f404ec87efc9b979e530867a80e31a564ff30e63345e6c4cd8e3f3

        SHA512

        fed11b4233778981f5913efb51529632bd52d854a47024b3061f619ab5580e4ad528bae6c1c42442c836acbb6a921c5dde2d10bb9376261e904b7a35e33c0c70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\msiwrapper.ini
        Filesize

        1022B

        MD5

        e0c056d8454b68c5a83a95a844792245

        SHA1

        9c26eb8978d0d31aac1441027f9e9d36e44c0dd7

        SHA256

        93d79c1044f6c6b1c17f99e6346b6e598852b4c16dacdfef614f240ae4a178df

        SHA512

        3e201cd612ba262f2499a7fe7aaef4caa86f7b2063f6fcb5068c5036666c916108a7dfb9f321fb4d62dc778b1c04ff790f90c629d0bfd704408dde66e4213052

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MW-930ac7b2-942f-48c5-9503-7c2783d9bb19\msiwrapper.ini
        Filesize

        1KB

        MD5

        ed19d042f9a8381905c9a0290acd1843

        SHA1

        2d8940fda28d07cb80799bdd4ba410efbc77d431

        SHA256

        8d938a29b6b76f48f27edcff4c40660e9c3699487ee304f95d5adade578cde3e

        SHA512

        e897f664d83a83d1b638d5a92e00f77afec857b735d3a3a18051711f9857b34bd97bc08a202b4645e726cf0ea3a252a2feaaa31c70ffd5921e15bd21419e3b0e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WMProjectFiles\Sound.mp3
        Filesize

        45KB

        MD5

        f3260efd0b21dde6a808319149614ac7

        SHA1

        c7aff49218b38624937742ac31854d77b086a55f

        SHA256

        3c55e3e41d4b12815dc543ca653d3d22dd3466c604f47498f8661a29d4c0c44f

        SHA512

        8d0602f072f12fe6a8fa73eabcc57712e95c72a4e32c144778b86d7b577b2cc1424e7dbf0e31bf6dc50787b25169dbe394d8c7d11e4fbffc96852dbb976e76cc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WMProjectFiles\info.txt
        Filesize

        1KB

        MD5

        56a1ad1818fb3bd63db9c8c86d40884e

        SHA1

        89a599219c4017b88b097ddef64939c1ea2083a3

        SHA256

        c8cb3dca3d91579f88e729e2a001869f0b4064246206a5be934834d77a831d56

        SHA512

        757b4323be249c5b1196a4c75c4de4af91f0ae06e8a4a03d20b86db1f2f607ee756dcd04f8f55949948178685b586fe64c488e9bd72080d62bc84497fb415764

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WMProjectFiles\info.txt
        Filesize

        1000B

        MD5

        c63bd4cff6dd7c34e32c46d372fde002

        SHA1

        4590da674e9f87ba109ec64ebc18fe4e24c65032

        SHA256

        01df3b4a70230a8eddd6334399f19864e218945adf2c42ce0c47f2be37482f18

        SHA512

        d19a40a55bb39f25af4ea967083fbf721387a504bc10badab8c95ce890ab2102101732359b3d51ef48042712799628a63407f7856de6c4b04fa03d79cd0f7981

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WMProjectFiles\soundtrack.ocx
        Filesize

        1.3MB

        MD5

        ecedc82a044dd6cce5e8dc1c811ea471

        SHA1

        11488750da5a36ca9bb531505fa55f789efc232a

        SHA256

        8f4c32cfe1a449fd8bdb929025f61522c574e82a3667c936a306f35976efe2de

        SHA512

        193c94332d49ba728a738e15b72a8c32bac2dca8909ff800bfa1f3136d91c9f0c9dee0cab748b4f3ad920d1c15ca62db5e50e313f99d1b8d580cc016a24ecf3d

        Download Submit

      • C:\Users\Public\Libraries\WMFile01.dll
        Filesize

        7.9MB

        MD5

        b818d9388d7e8da45758e5a479ff8cc5

        SHA1

        d273dd3d22285821eb3263e2c0d61300cfddea24

        SHA256

        9254ba70d1139214015fbe3dee7edc1c68aeb0993fec0bd6cb14c30aff318f5c

        SHA512

        11322b5dac590f8812ba0217e096588aaf6c9c2a5ca52b52e92b4be99554437a96ad0afd6a942a075d840fe2cbb800a6d5f2c42793217bbc4aeb28755554a516

        Download Submit

      • C:\Windows\Installer\MSI692A.tmp
        Filesize

        208KB

        MD5

        0c8921bbcc37c6efd34faf44cf3b0cb5

        SHA1

        dcfa71246157edcd09eecaf9d4c5e360b24b3e49

        SHA256

        fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

        SHA512

        ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        06603f668d4ce46211f8caeb7ee18547

        SHA1

        2c5634b284d109e26be8a50620e8bf4060df1c72

        SHA256

        b0a9baf02de24ba24cf534dea9211678cf4654c6318b68a29b3943646e407f34

        SHA512

        66c443bbceffe0e1c4289b5f43df9cb7c49a3673708b628c2a88c5406c398f57a10b80749bb057fef8b07dfaa5ae074843a0899c26a669e7855544fbdc00feed

        Download Submit

      • \??\Volume{b8b1c3f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b598c5f-6f8d-4590-96ec-9f7b4f572f28}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        03a35439976ccf4a92d6aa2b5e0bdfd5

        SHA1

        4a1e7d936b160dc4369327f824832586ebd7b05c

        SHA256

        5d779b2528e25816a85c28f70eb181a6a5a7fdbcad539d5873bde4cfa83df4bc

        SHA512

        2dbc9c70fa0c7e0e7afce4750434932a991ca4cb730ed002b4913c777d56eb6bf4bf659f7cc622056819babbe5542da8012c4e5ccb751d35203c04016d2fe838

        Download Submit

      • memory/1684-127-0x0000000000400000-0x00000000010FE000-memory.dmp

        Filesize

        13.0MB

        Download

      • memory/1684-130-0x0000000000400000-0x00000000010FE000-memory.dmp

        Filesize

        13.0MB

        Download

      • memory/1684-133-0x0000000000400000-0x00000000010FE000-memory.dmp

        Filesize

        13.0MB

        Download

      • memory/1684-141-0x0000000000400000-0x00000000010FE000-memory.dmp

        Filesize

        13.0MB

        Download

      • memory/1684-142-0x0000000000400000-0x00000000010FE000-memory.dmp

        Filesize

        13.0MB

        Download

      • memory/4340-117-0x00000000032E0000-0x0000000003AC2000-memory.dmp

        Filesize

        7.9MB

        Download