97f6ce221fb5921c55164697f09176f76f65a234f517196cdba347dac1570ee4

Analysis

max time kernel
1s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/OWInstaller.exe
Size

298KB
MD5

bbac8c6550a77b63e858f50173d43e95
SHA1

a4b400e8538248b33b49e2d483be44f906d37b2a
SHA256

185e840fda52ea7ea3ae4e4f895be58f4c922469e59c472b1065efe7f5eb9b09
SHA512

f3e602e9e187fce546cb71929f07d299958c3411486d39668cc4374fba88acf375b6c6fd1436843f75b944944a663b46c9ba3cd2338ed3fa708dbe4bf55922d9
SSDEEP

6144:WpatEos7K0ICLs17TUOgFR5bu09bFyoSIm900lzq2lSlplKWcme:WpatqK0c7IOgF7qFoSU0vS8/

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	OWInstaller.exe
1668	OWInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	OWInstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	OWInstaller.exe
1668	OWInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2792	1668	OWInstaller.exe	29
PID 1668 wrote to memory of 2792	1668	OWInstaller.exe	29
PID 1668 wrote to memory of 2792	1668	OWInstaller.exe	29
PID 2792 wrote to memory of 2700	2792	DxDiag.exe	30
PID 2792 wrote to memory of 2700	2792	DxDiag.exe	30
PID 2792 wrote to memory of 2700	2792	DxDiag.exe	30
PID 2792 wrote to memory of 2700	2792	DxDiag.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\DxDiag.exe
  "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
    3⤵
    - Modifies registry class
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f7b91ef6259bd04bbf5639b0e4f0c04

SHA1
734b320c1ee9a55cb3f8f053238446a485ee0a9d

SHA256
f5296839d941afe34ed0a6ff693d65b813169e7dd5e29e43ce1572422563f10f

SHA512
48ea13108e0c7ec227c4dcd793fca2381390b8c2579c6142667dcda949d0fd9b03f398fed236c1e602ddced56265ae049ab60aa67b6b91ba1c2771c7e17d7b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
918e79386274e1fe0156b606c2a2c503

SHA1
649664a1c2cbd36665c65e8ae42650baca1268a6

SHA256
98af9af909ce271f19da3b03f3d30bba0a93da21dbdeb796ab075e1351d9b2ae

SHA512
f1636b93896a038c765a9a3af9ff844676fbca5d0c1bc387e3718375ee436ea6227d094163715ad652a83c9176f525ce64683a8d41aeb1f755be55624d95ca65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32ec8b3f541e7e01b552c1a3e01e1dcf

SHA1
ebcef58a3b0d676e7fa66b21965623e7c9fd866d

SHA256
b9e5a4d149ddf501f0525f06bd9acb7c9580912548f77779f950544dcae40891

SHA512
f7a04f10d6baaafd5da98fda33d3ec9de1e845881341e20fd24b68ac482849c2f6faeceec77373503bbc7db9584d9291ec4601e48823d6295392d5e832d5ba05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\reset[1].css

Filesize
427B

MD5
d29f1cfab4739a8757e86b90ee9a745f

SHA1
9f36d9336ed6a90beca34bfc7d5cee28adc3aa44

SHA256
a5d4254113dc8ec027bc30da0df9dde7c39583b024660fccca1e949d1db70f90

SHA512
56ce5d8cee435b2d9a1b9626e8ffdb449b5e1813d24468dc5808f31271d5b8adb9fa143f17743a48f5c081f67325e08ae8c881ae1acdf8dec4c3cea36fc2fa4e

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
202B

MD5
1ee58cb95444ae1cdd76ac4029319287

SHA1
aa0140d20ec454e48807972cda6663b6ea0af3c0

SHA256
7481482c0069e66d55c7e06f288f17eae160ee9f9ae359b6fd08d9f24c05a5b3

SHA512
e7d44629df963e71ef1d2801dee1af6879464b6980379278c895e11d90a8076bdb906560591b182ccb02d358394d8b1548256800dc95fb7adb8993fd027f1e2b

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
518aa5a5d304eb8171e3749246309cd6

SHA1
a30d99f4bbe67eb806ce0067d172a443f3c95767

SHA256
4e4be3ffc9becaf36c1191156a53ce914579e4f070795b78bac5c5aea1df2098

SHA512
095e1e71414354d17c1a7a0190451ecd65e155e883349aeb8e8d337e27ea7dbe589f0daf815d77f1d82dc2e40d6642df25b2b3626ad3c420a5313910cfbdf7f3

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt

Filesize
15KB

MD5
0a63497339a9edf67a7d4df214484986

SHA1
c412b4cb65be72ba803dc1c9ff784ad92433cec9

SHA256
da7a291c55f86c9f9cc50fef5d39dba85e8019fc4ae18693ea0d998efe740926

SHA512
397a63f25a95a3b449c3a3205df466ae7952d8c87e332469e29fcc0d27310be7008179192f8ea85cb0bc97500518fdb70e8e31895fcdb7f4424499935c673d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1668-140-0x00000000275A0000-0x0000000027D46000-memory.dmp

Filesize
7.6MB

Download
memory/1668-3-0x000000001AD20000-0x000000001AD66000-memory.dmp

Filesize
280KB

Download
memory/1668-4-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/1668-283-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-282-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/1668-8-0x00000000007A0000-0x00000000007B8000-memory.dmp

Filesize
96KB

Download
memory/1668-1-0x000000013FC30000-0x000000013FC7C000-memory.dmp

Filesize
304KB

Download
memory/1668-2-0x00000000024C0000-0x0000000002564000-memory.dmp

Filesize
656KB

Download
memory/1668-13-0x000000001BB30000-0x000000001BBE0000-memory.dmp

Filesize
704KB

Download
memory/2700-218-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2700-222-0x0000000002990000-0x00000000029EC000-memory.dmp

Filesize
368KB

Download
memory/2700-276-0x00000000023B0000-0x00000000023DA000-memory.dmp

Filesize
168KB

Download
memory/2700-275-0x00000000023B0000-0x00000000023DA000-memory.dmp

Filesize
168KB

Download
memory/2700-219-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2700-175-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2700-176-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2700-284-0x00000000023B0000-0x00000000023DA000-memory.dmp

Filesize
168KB

Download