4da5c99755138be6f7f6080c93b8d9262120dfef363092edef5c11f90f9d06a0

Analysis

max time kernel
0s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OInstall.exe
Size

11.8MB
MD5

ed1210b3c515ccdc89c8c919ace0d5c7
SHA1

98ad0c0de859178532ace50c5a3219f7326074f8
SHA256

4da5c99755138be6f7f6080c93b8d9262120dfef363092edef5c11f90f9d06a0
SHA512

c65f72871d819c3d9ed8c429dde870e20a284bb958cb376d7535f4e4749122d274121f836543626bdfd7f9fce227161310ef61034fc9b3f9a0a0788b7071f663
SSDEEP

196608:MxvDEJlrJ/3FMC7ujFXIDelqWRlrZOn+F2lEORWONUzoUz1SmEB9CI4J1GvrzkdN:Ww/3FMRN6el9rInQsAkUz1HOkyki+oA

Score

10^/10

execution upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4992-0-0x0000000000400000-0x0000000001A99000-memory.dmp	upx
behavioral1/memory/4992-98-0x0000000000400000-0x0000000001A99000-memory.dmp	upx
behavioral1/memory/4992-99-0x0000000000400000-0x0000000001A99000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe
3412	powershell.exe
3520	powershell.exe
2724	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: 36	632	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1020	4992	OInstall.exe	80
PID 4992 wrote to memory of 1020	4992	OInstall.exe	80
PID 4992 wrote to memory of 3648	4992	OInstall.exe	82
PID 4992 wrote to memory of 3648	4992	OInstall.exe	82
PID 1020 wrote to memory of 632	1020	cmd.exe	84
PID 1020 wrote to memory of 632	1020	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  PID:2396
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over661287\v32.cab') }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2464
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over661287
  2⤵
  PID:4996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over661287\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over151891\v32.cab') }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3520
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over151891
  2⤵
  PID:4584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over151891\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x304
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
30e8ba1602db76d0f37c9cf7119284c0

SHA1
a000179497a4713b63730b2f3b3b4f713cf71872

SHA256
b2b7f336154e49c0f8c949cef9d4d1082df69b8fc866c0b9cf313076df2945ac

SHA512
6cd87e739b07ed14dffe2088cffe136f8759ec6c8a0f78f8cc6efcb874214ccf3aed733fecd4289de295bcd02ff3394a738eb362dd59b34431063f1500e9dcd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0e88bbf0f8bb4ec582ede444d5d10707

SHA1
c8f9067f600c98155dc20f8eaf8dee9ff18a9460

SHA256
089522a34825a6c042bcc10bad1ce02ccbeb8efbfecbcc8b1da989c0e945abdc

SHA512
9d5a11e513e3ed9ac8a68a0431bcace10919f5832896662d219efd4d861bbfede408b4828eee4ec3360a4cfa0c9c00909d8cf2503475eda64097f9840143fdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6cbaa35cb3218a0a4f5d862ab8ea5368

SHA1
41064a0ef94443c37a48bac0c5d988d529619d48

SHA256
a062d2ffa3f54f64fe69b0bd8cc9d3e63be87ed25ffe1b325a97b2efb2a24cf0

SHA512
beabaf4fa20aa3c7ff7c8482eb9f26c1360cf0b8457ef5d8294f06f69d274690e66934cd7f0b25e0ae9dcba9b5dfe04ff7d409e8964e8783ce0cbcdef4cf6a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5zfqvip.uuq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\over661287\VersionDescriptor.xml

Filesize
25KB

MD5
19347b0d1b44f5b65835f1da865ab687

SHA1
34accfd7ee8a89c7286c8b53f7c77ce2cdd401ca

SHA256
8db3b342d4695a4f21fe1b131294a804d5b8172302cf3eda403a12a7fd26d100

SHA512
7bd912715a38b52ae2458c702e433d47008046f6721bb39d725ca278aec3d7ba473b806b9c91f11862392f04364c6f4e2989abbc4d17161e5eb0a44af669490b

Download Submit
C:\Users\Admin\AppData\Local\Temp\over661287\v32.cab

Filesize
11KB

MD5
63b9e81e9f0a1f8df601002b1d915ab3

SHA1
6b3ec4d35c1aacddff4257f1a1d8f6351227ef05

SHA256
1f5568c93ddc0ee04b389f176c98901c1833b79eef849422a25c1fd5bdbfc656

SHA512
c2711053387e400ee2fae8adbc19ad7da5819b35f93f9a73fc2efb41e1ae9e7b309cddb5b199244d9f963609aff301c8d1bd588cd366ccf0f94fc5f3b0753cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\over661287\v32.txt

Filesize
25KB

MD5
aa3085bc6e889c0586734fe0940eb8dc

SHA1
90ae6e4bdec318ed23f5f0ffc92520e38c9d6ddd

SHA256
de6f85f178b7349df84345d800f6bbf04056f72cf5e3cdfc6e4ff7fa4f8a9565

SHA512
7e20976b8c09add27025a84b3539585b821fea5a299ae4634197f21f1d741e45b8cd6ab653cba6e4a0617528f7429a56ecc1ef15cf6025a7bd123ea05e3f964d

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
40cda64fb81512455678ceb7cca5773e

SHA1
14e338a74e3dbbd819b6038ef2b184e7cfef3be0

SHA256
139aa777b0c3b4fa747cf533a95ebdcf177241a00dd01ffeeaaa49948f88d567

SHA512
3bde81d48bdae205ca345f23fd94fc21c7c18b2c938d9d49bb242dfd6d6c859ea1cbf31f2abe74a3c539427527b95e89cf605abbc3822a2b50c52e015f415dbd

Download Submit
memory/2464-31-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/2464-21-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2464-34-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/2464-33-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/2464-32-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2464-19-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/2464-18-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/2464-35-0x0000000006670000-0x000000000668A000-memory.dmp

Filesize
104KB

Download
memory/2464-20-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2464-17-0x0000000002820000-0x0000000002856000-memory.dmp

Filesize
216KB

Download
memory/2724-91-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/2724-93-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/3412-57-0x0000000007A30000-0x0000000007FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3412-55-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/3412-56-0x0000000006720000-0x0000000006742000-memory.dmp

Filesize
136KB

Download
memory/3520-73-0x00000000060F0000-0x000000000613C000-memory.dmp

Filesize
304KB

Download
memory/3520-71-0x00000000059C0000-0x0000000005D14000-memory.dmp

Filesize
3.3MB

Download
memory/4992-0-0x0000000000400000-0x0000000001A99000-memory.dmp

Filesize
22.6MB

Download
memory/4992-98-0x0000000000400000-0x0000000001A99000-memory.dmp

Filesize
22.6MB

Download
memory/4992-99-0x0000000000400000-0x0000000001A99000-memory.dmp

Filesize
22.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads