4deb8f063217cb2ae705b3bed0e29b7d724f0792b164f670192940020c76f6a3

Analysis

max time kernel
14s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OglWH.exe
Size

25.8MB
MD5

5c0b913e87773aa3dc10dc65838c3237
SHA1

d3d1cb2fe8e75740d512600310b545bcdad1e6b6
SHA256

4deb8f063217cb2ae705b3bed0e29b7d724f0792b164f670192940020c76f6a3
SHA512

e46f2520b886052fc194e8f1e498c4b994bd4df2a7cbe259e840e6d2e4b65cdeee4782cacc92c806a46346cffc0671370eab4114a10fdf8e791bf3c6db78a411
SSDEEP

786432:XA8j8FKUvHJUJ9GlMEL3g/v32CuhEi8NC:Q8j8FvHJUeDLQmChid

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2596	main.exe

Loads dropped DLL 34 IoCs

pid	Process
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe
2596	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2596	3104	OglWH.exe	80
PID 3104 wrote to memory of 2596	3104	OglWH.exe	80
PID 2596 wrote to memory of 3076	2596	main.exe	81
PID 2596 wrote to memory of 3076	2596	main.exe	81

C:\Users\Admin\AppData\Local\Temp\OglWH.exe
"C:\Users\Admin\AppData\Local\Temp\OglWH.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\main.exe
  "C:\Users\Admin\AppData\Local\Temp\OglWH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\PyQt5\QtCore.pyd

Filesize
2.3MB

MD5
b8bf497471af412b83d140ae401bfdfc

SHA1
35cd8fd15df2a37df2b76b2b49d2342afab5663a

SHA256
14dd0eebe373d3bd232122836d5394adeb1ad10448d16dd5bafc9de4e3b0c5c2

SHA512
85fa8ea5b4c0e5abd453c3de2832eb55c8bc52c707423500e42e451a0f184534839f5184290a0fd88a9c3867f049ac6c22970267dd67b0294e00c025ced37f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\PyQt5\QtGui.pyd

Filesize
2.3MB

MD5
4e87f6d7e1356653753893bebc7531ee

SHA1
d64d4645d7d0f902c62e18a26a02003167fa7a49

SHA256
0672e0e3f36d1b26aa741f5c38419361b4afc55f3d6b88c37f85928806ab2992

SHA512
bc930dacee410db6e90cf3359541e7b1a1a6fbf20411926745e17d554d4bad41656b202915d56e931e6659969f0212f6912daf706c656fc32d8c1dbda861301a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\PyQt5\QtWidgets.pyd

Filesize
4.8MB

MD5
10c109342bceffb9bdb23b867ad3a479

SHA1
81a3cde425dd3729a5c5d3711604fea69371002f

SHA256
8a7ee266d1acb32e30e45cad3033681ebda13ba75007f5e64b237e4b288d7daf

SHA512
7e550de2e8781e3b092a2d899df3aadbb20422e4ade42f11eaf44a95a5d5a482a914270edfc4b16d846fc3614edc374440f6b1ed8c561e5a143c55fd126d0303

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Qt5Core.dll

Filesize
5.7MB

MD5
817520432a42efa345b2d97f5c24510e

SHA1
fea7b9c61569d7e76af5effd726b7ff6147961e5

SHA256
8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a

SHA512
8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Qt5Gui.dll

Filesize
6.7MB

MD5
47307a1e2e9987ab422f09771d590ff1

SHA1
0dfc3a947e56c749a75f921f4a850a3dcbf04248

SHA256
5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e

SHA512
21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Qt5Widgets.dll

Filesize
5.2MB

MD5
4cd1f8fdcd617932db131c3688845ea8

SHA1
b090ed884b07d2d98747141aefd25590b8b254f9

SHA256
3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358

SHA512
7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\python3.dll

Filesize
60KB

MD5
0812ee5d8abc0072957e9415ba6e62f2

SHA1
ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5

SHA256
84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec

SHA512
18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\PyQt5\sip.pyd

Filesize
117KB

MD5
0bed803e3b4b002dc22d842eb81a252c

SHA1
29d173b8c05a654362476e134d4820d6de66c5cf

SHA256
88ec6e35a6c27e2fef34c2876aa0a44d6b40c7fb0a6124b025803918f65cf266

SHA512
4150ec78550dc7be0c91ba938f8f172956ea22fb54067d3ec773ba26b0f521453f00618b3b278525983eabf6e41aaa86742153f252dcae1b22de233e57b74fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_bz2.pyd

Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_lzma.pyd

Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_multiprocessing.pyd

Filesize
29KB

MD5
429673c64ccfefdfb3f3c9e0fb4402ab

SHA1
d96b83d6a76397d56ad3ec09e8b3c10d7932c309

SHA256
2c1bc1c4827f61bc4282c2c60bb5c921eb91f6e487422e662cb54f5d1510baa6

SHA512
db19034fe1b133c79e7db5b568ccb0328bb0e2d3a1dde5443bf5dffa19a1eddce4a0d647810804312daa0f02e3206f8d5af5f40f551037a58b8343d45569e88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_queue.pyd

Filesize
26KB

MD5
8dd33fe76645636520c5d976b8a2b6fc

SHA1
12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7

SHA256
8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595

SHA512
e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\_tkinter.pyd

Filesize
60KB

MD5
63cb15c35973016a2faa85b6498e7e6e

SHA1
e4b29cfb1816cbb4dca48cb1c198ca77e62c1d2a

SHA256
fee72ad34e2ee6d0156d7521f3fda7fe1c336201db4e694bfacbf20f3de3845a

SHA512
ff63fc2f4b24c5001124b86414bcab95044661e71220308deaa92aef79184e559b28852029079369f38926d9fdd14d524d43ab6fc9e950d7287b05805dfb1d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\main.exe

Filesize
12.8MB

MD5
98e5414ff0e7877dfff916860c6eb16d

SHA1
53bd98ac40e0907fd66532a92aba5f1296892747

SHA256
64056ad9389a66a8e6cb65ad1900c1f8e6f89edefa30de84474de914a35926e8

SHA512
f6bf210748f80bf620392f5dfdae82ee7627206f6495ad953665cceb17018bd74f5f8f1365a34fa74da2219b7c6dc1b317d4c298690e7195be52bf8a94274458

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\msvcp140.dll

Filesize
576KB

MD5
01b946a2edc5cc166de018dbb754b69c

SHA1
dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46

SHA256
88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5

SHA512
65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\msvcp140_1.dll

Filesize
30KB

MD5
0fe6d52eb94c848fe258dc0ec9ff4c11

SHA1
95cc74c64ab80785f3893d61a73b8a958d24da29

SHA256
446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f

SHA512
c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\pythoncom310.dll

Filesize
543KB

MD5
b7acfad9f0f36e7cf8bfb0dd58360ffe

SHA1
8fa816d403f126f3326cb6c73b83032bb0590107

SHA256
461328c988d4c53f84579fc0880c4a9382e14b0c8b830403100a2fa3df0fd9a9

SHA512
4fed8a9162a9a2ebc113ea44d461fb498f9f586730218d9c1cddcd7c8c803cad6dea0f563b8d7533321ecb25f6153ca7c5777c314e7cb76d159e39e74c72d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\pywintypes310.dll

Filesize
139KB

MD5
f200ca466bf3b8b56a272460e0ee4abc

SHA1
ca18e04f143424b06e0df8d00d995c2873aa268d

SHA256
a6700ca2bee84c1a051ba4b22c0cde5a6a5d3e35d4764656cfdc64639c2f6b77

SHA512
29bf2425b665af9d2f9fd7795bf2ab012aa96faed9a1a023c86afa0d2036cc6014b48116940fad93b7de1e8f4f93eb709cc9319439d7609b79fd8b92669b377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\vcruntime140_1.dll

Filesize
36KB

MD5
37c372da4b1adb96dc995ecb7e68e465

SHA1
6c1b6cb92ff76c40c77f86ea9a917a5f854397e2

SHA256
1554b5802968fdb2705a67cbb61585e9560b9e429d043a5aa742ef3c9bbfb6bf

SHA512
926f081b1678c15dc649d7e53bfbe98e4983c9ad6ccdf11c9383ca1d85f2a7353d5c52bebf867d6e155ff897f4702fc4da36a8f4cf76b00cb842152935e319a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3104_133636637756111176\win32api.pyd

Filesize
131KB

MD5
ec7c48ea92d9ff0c32c6d87ee8358bd0

SHA1
a67a417fdb36c84871d0e61bfb1015cb30c9898a

SHA256
a0f3cc0e98bea5a598e0d4367272e4c65bf446f21932dc2a051546b098d6ce62

SHA512
c06e3c0260b918509947a89518d55f0cb03cb19fc28d9e7ed9e3f837d71df31154f0093929446a93a7c7da1293ffd0cc69547e2540f15e3055fe1d12d837f935

Download Submit
memory/2596-187-0x00007FF7C3BF0000-0x00007FF7C48FF000-memory.dmp

Filesize
13.1MB

Download
memory/2596-151-0x00007FFF49840000-0x00007FFF49A95000-memory.dmp

Filesize
2.3MB

Download
memory/2596-145-0x00007FFF4AC80000-0x00007FFF4B14D000-memory.dmp

Filesize
4.8MB

Download
memory/2596-146-0x00007FFF4A730000-0x00007FFF4AC71000-memory.dmp

Filesize
5.3MB

Download
memory/2596-154-0x00007FFF495E0000-0x00007FFF49838000-memory.dmp

Filesize
2.3MB

Download
memory/3104-279-0x00007FF7129D0000-0x00007FF712A09000-memory.dmp

Filesize
228KB

Download