Analysis

  • max time kernel
    93s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 16:58

General

  • Target

    $PLUGINSDIR/OWInstaller.exe

  • Size

    298KB

  • MD5

    63f5594fcb9d1ebae8cbf66c17c742bc

  • SHA1

    872fe5caca41fbccced6b0102b0e7555c8c96405

  • SHA256

    46251865304dea0996cede10946150bc0555bcd8aae2b8ca9f8fdf14b1680189

  • SHA512

    fe6726ae2f5fd50fa439ca041aa990725d422014829c89de9a938d16cd7498c685210eaf9eb1d79a39b4cbbe0ebc145620509507423a5ee1e823c26ce5692864

  • SSDEEP

    6144:JpFQ9Yd2uAM4TrU96+WejMJKxLhbUV09b1moSIm9l062q2ZSyplfKcV0:JpFQyUuAiqdJMLhedoSF0HSMO

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 18 IoCs
  • Registers COM server for autorun 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OWInstaller.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\System32\DxDiag.exe
      "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
      2⤵
      • Drops file in System32 directory
      • Registers COM server for autorun
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1224

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2024-06-07_16-58_4728.log

          Filesize

          462B

          MD5

          f904353acc11e8d19b8941803c4ba2c8

          SHA1

          eec11257226f6e5eb1d826cc2e077c0a7b455740

          SHA256

          8b5ff608d87e92cab2ff95081531b87379fe8e37dc210bdd378339b94fb4d708

          SHA512

          c633c320b9e3fd7f8f173db526be1571680dbcaaccbb0b24d4833371beda2ffbc0c2e1ecf9da615f71350f7f99fb5dc9f3ac1f2c89a1135a11d96103da2e2e81

        • C:\Users\Admin\AppData\Local\Overwolf\Settings\bak\SettingsPageBasic.xml.bak

          Filesize

          752B

          MD5

          e6f406388d3241f4237cf8dc814f5d52

          SHA1

          f26b581de77a07c48c14fbdef52424fcbe3ed71b

          SHA256

          122858f125588b819ee586f9fd602e8448f40738975dae4cb5b6fb71bf67fe99

          SHA512

          4f55d8ca3f2a4391bd56bc86a112f421b0f2267fa508c9aab35c5b773edc228742d38a446957456f6a2ddeb7b16e2eaead2af75476092175d84f1c2123c3b2d5

        • memory/1224-51-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-55-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-56-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-57-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-58-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-59-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-60-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-61-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-49-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/1224-50-0x0000026414EB0000-0x0000026414EB1000-memory.dmp

          Filesize

          4KB

        • memory/4728-5-0x0000019146660000-0x0000019146678000-memory.dmp

          Filesize

          96KB

        • memory/4728-48-0x000001994A7F0000-0x000001994AF96000-memory.dmp

          Filesize

          7.6MB

        • memory/4728-43-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

          Filesize

          10.8MB

        • memory/4728-40-0x0000019146B50000-0x0000019146B72000-memory.dmp

          Filesize

          136KB

        • memory/4728-14-0x0000019146AA0000-0x0000019146B50000-memory.dmp

          Filesize

          704KB

        • memory/4728-11-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

          Filesize

          10.8MB

        • memory/4728-0-0x00007FFA03123000-0x00007FFA03125000-memory.dmp

          Filesize

          8KB

        • memory/4728-4-0x0000019146550000-0x0000019146596000-memory.dmp

          Filesize

          280KB

        • memory/4728-3-0x0000019146BD0000-0x00000191470F8000-memory.dmp

          Filesize

          5.2MB

        • memory/4728-2-0x00000191465B0000-0x0000019146654000-memory.dmp

          Filesize

          656KB

        • memory/4728-1-0x000001912C0E0000-0x000001912C12C000-memory.dmp

          Filesize

          304KB

        • memory/4728-75-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

          Filesize

          10.8MB