Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 16:58

General

  • Target

    $PLUGINSDIR/OWInstaller.exe

  • Size

    298KB

  • MD5

    63f5594fcb9d1ebae8cbf66c17c742bc

  • SHA1

    872fe5caca41fbccced6b0102b0e7555c8c96405

  • SHA256

    46251865304dea0996cede10946150bc0555bcd8aae2b8ca9f8fdf14b1680189

  • SHA512

    fe6726ae2f5fd50fa439ca041aa990725d422014829c89de9a938d16cd7498c685210eaf9eb1d79a39b4cbbe0ebc145620509507423a5ee1e823c26ce5692864

  • SSDEEP

    6144:JpFQ9Yd2uAM4TrU96+WejMJKxLhbUV09b1moSIm9l062q2ZSyplfKcV0:JpFQyUuAiqdJMLhedoSF0HSMO

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 34 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\DxDiag.exe
      "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\dxdiag.exe
        "C:\Windows\SysWOW64\dxdiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
        3⤵
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2780

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

          Filesize

          1KB

          MD5

          55540a230bdab55187a841cfe1aa1545

          SHA1

          363e4734f757bdeb89868efe94907774a327695e

          SHA256

          d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

          SHA512

          c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

          Filesize

          230B

          MD5

          21f258c32ccab8c290edf9265c7263b5

          SHA1

          4bcb3bc4571d6daef0e69c1360219597f1b71a24

          SHA256

          2fbba9f4831fd55a6c32d35463860694e9ae1dc31831dd390a6ad4fba9b8db39

          SHA512

          2a291e4781b7a8a7b3cd0450ddfa9de6b748961fc0bb335d349a172adbb6f023b14fa9a656c83828327633907f216581f6d6d0f2f992ea1e209d082c495a6b51

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          16d2a7a0c73cf96af4935aa5c76ec646

          SHA1

          a2fdc4d780962e10ef66db74f772bea60436f6d5

          SHA256

          c7a49d5f16ba6cd4be6cf1b62f95dde3e9bf669e21eba6cfa2cd5bdfa11fbd9f

          SHA512

          785947f90ece19a077cef844c1ff47222727dbac85b375f94a00444d226d50af08dfb7097ded8a283c8ec9b50a3ad593beeac98ce287c90ad5b823cbf1089856

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          003510f9aef4c8924b77e373c88c58e7

          SHA1

          84fc50c78283d07bf99bc9533d859d8b9c0bb094

          SHA256

          68200785407d536065fb5290a06a40d3601cd4e2c6c561829a70c0f99eb43e73

          SHA512

          65ad99ed6f7724abdf8dcce26b49cf26a8bd6f70fe2262a938cda3bbd409b92930d472c02850e9ff36a221606d957a5b50be03bc404c5368472c6d1937dd7f5e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          61fd01f9366d038c1eec0d37ae8995f7

          SHA1

          521c83eae25d6b76a615381950b84e061d558d2d

          SHA256

          cdbe9514faede8b4af8a27a5596d90ae31b361a10b7bc67eb438f299f4d7d838

          SHA512

          dbc0b2f2a50c298a1994b3394680b4ee55099f3831fe7cf9f5d348bc52a3669de9fadf405de4771ac45bc6cf2176e3ebb9df48b6e4cee33ecb0f5509ed4d1e93

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          90f71d6bf1ca2556350ca6cb02f28d5b

          SHA1

          bbac246a4709e35423fba34fa8bfa65a2dc6a9fc

          SHA256

          90d2705091b89b9b67562aa2581a116673918fad8687ae2b3b3e4998de5bbb2a

          SHA512

          096fc5677aa079101ef340b4f70e65bd6257425670e4878ccae9d4a71fe00e4faf068302a41f8d4b39d52789c74348e890c9dac8986c752ab1700502c8037138

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          26e667e28b6558598f417c3edc64de5f

          SHA1

          b2d5a0a097f60ee172939593f228ca0ff9d75665

          SHA256

          38fd5767c2cbc4753c7d9cca9212d5ebffd4c34569bb7231ace570e123032a62

          SHA512

          21ab07f562b0604ee574c0048e300a71e19fb9b0bfe2c1a27aad7bec9446810fec77d230a8cdeb899af1d459aace1f66b5db11652a64386ddb817562a42e7e22

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7a50fecdb5de8317fc8e613b67490334

          SHA1

          9dafc84f632480870db2a488f931da430ae0c328

          SHA256

          fdbd8953e61eeadcf05d704e6a7080f9836a80a25b04c603465bb3ff3032aac8

          SHA512

          6e3aeffc9ec4797467b351d77e5fcc44eb627466bbdcc7278ea6803968458a8f2d25709dd22836b5cc000954354420281ea094d95b8c52f7d8e3addd5e51a33f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          aa4f8cf9dded5faa48fa3b9589230065

          SHA1

          b70eea8a90b5e249f420ac9a666153a8207cab29

          SHA256

          46ed470e3a45f6a6a272db1dcd59e62c669096e9aa4cc439cefa457632bdef7b

          SHA512

          0a38ecd25f5ad2ebf2a624f67c129df06d8fc095d915d1bd9679f1dcef7456c26aeaaece359ee1458da8a593569ee9e87312e97c84fdf4d5ac958f37d79cafb1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          bda983fc28efe628fc90a890a97f932b

          SHA1

          4db40839686b5f612f3a5928298951cabc1bb188

          SHA256

          3b350d376fd27b3cc8f7fe79dc826d427bb7f127227bc7ce5453cfc438445891

          SHA512

          c4433a66613fc9f6657e61b04ce5b87dc94b6346a6bcd063fe39133064b3d5bfafad406d4cf9f42b6d44b31dd1bb668b9502d52a7b2f53800208cf007fce7596

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          dadf4c94f56ac917876b007688ddab52

          SHA1

          ea66e4771624ff66af6f8469befd6164d560b0d8

          SHA256

          8321d5c4cc8012bff67406e4f91d3e599c841fd252028bdca957491387ce1a0c

          SHA512

          2f0d28f41bd967ceba3f57d9cefd7f690438b8304664dff70b76e0e390a30fcbd4ce4cdf205209991a02b33e2bc7529c574f3663a015885ec6ae5afa4bddb657

        • C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

          Filesize

          202B

          MD5

          db7a52006f7c1d048d8fbdcdcbab07be

          SHA1

          d738bf3ab5bd3accb1f5021f89eb1fa9b70d57b8

          SHA256

          1ea33b4274f1da8627a650e4e9967867578e88b4103df7132051d8aa0dda1ad2

          SHA512

          6e6ced1fba56100eed28c39fab09ffd9ab2809581510d3b88d739f67f03763ea60741d9d635ba5156464bb9d0e9a216014c3796f890fd40b6f5497ff09b77aeb

        • C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

          Filesize

          752B

          MD5

          016e36b70af6190ccb1c36a3fa47442b

          SHA1

          80b47d5c1f82e71f702e13c01b22ad3920c2616d

          SHA256

          166626ed0959ce9f0dd18a10b21ae7d29b5549231e34d824e6a3ee19d28e8fb1

          SHA512

          379c2d107cdcd482b3894b8389cd5d3600abb73635d719108c662d5b1418c3adc495d43a8f3a79603a76ad65704624f7ca05b57112c661d7ae73f394dabd63c6

        • C:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt

          Filesize

          15KB

          MD5

          26cbf143564bb5cb14c01720cae87f98

          SHA1

          d84b46614d4c7e6d4793ebf95c53a2a388669913

          SHA256

          d29f10f5cf7dedb3eee93a4d760c2fe5ffd4a568a48c8aa6dd6c8bc9bd42b2df

          SHA512

          f282d39b6e23da9e3d47b8355ca8139356d8a6a2c3053a77f710726dcf2211b92bdf5a7381a0e9e88751992e6b1e4197e926463c099b5029e7dd801668ab8172

        • C:\Users\Admin\AppData\Local\Temp\Tar2524.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • memory/1676-39-0x00000000258C0000-0x0000000026066000-memory.dmp

          Filesize

          7.6MB

        • memory/1676-3-0x0000000000860000-0x00000000008A6000-memory.dmp

          Filesize

          280KB

        • memory/1676-546-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

          Filesize

          9.9MB

        • memory/1676-545-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

          Filesize

          4KB

        • memory/1676-1-0x000000013F920000-0x000000013F96C000-memory.dmp

          Filesize

          304KB

        • memory/1676-2-0x000000001B1F0000-0x000000001B294000-memory.dmp

          Filesize

          656KB

        • memory/1676-4-0x0000000002180000-0x0000000002198000-memory.dmp

          Filesize

          96KB

        • memory/1676-10-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

          Filesize

          9.9MB

        • memory/1676-13-0x000000001D9C0000-0x000000001DA70000-memory.dmp

          Filesize

          704KB

        • memory/1676-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

          Filesize

          4KB

        • memory/2780-88-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

        • memory/2780-87-0x0000000000320000-0x000000000032A000-memory.dmp

          Filesize

          40KB

        • memory/2780-253-0x0000000002B00000-0x0000000002B5C000-memory.dmp

          Filesize

          368KB

        • memory/2780-215-0x00000000008A0000-0x00000000008AA000-memory.dmp

          Filesize

          40KB

        • memory/2780-263-0x0000000002B00000-0x0000000002B5C000-memory.dmp

          Filesize

          368KB

        • memory/2780-537-0x0000000000A80000-0x0000000000AAA000-memory.dmp

          Filesize

          168KB

        • memory/2780-216-0x00000000008A0000-0x00000000008AA000-memory.dmp

          Filesize

          40KB

        • memory/2780-266-0x0000000002B00000-0x0000000002B5C000-memory.dmp

          Filesize

          368KB

        • memory/2780-260-0x0000000002B00000-0x0000000002B5C000-memory.dmp

          Filesize

          368KB

        • memory/2780-547-0x0000000000A80000-0x0000000000AAA000-memory.dmp

          Filesize

          168KB