Analysis
-
max time kernel
53s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-11-2024 12:35
Behavioral task
behavioral1
Sample
Oxyco Android Pro v3.7z
Resource
win11-20241007-en
General
-
Target
Oxyco Android Pro v3.7z
-
Size
286.1MB
-
MD5
a22ebd0656a69f8f0af515f14978430d
-
SHA1
e9f3872b0e4dff831271b48226540591c4f68ec0
-
SHA256
b3538788fecaadd5ef4f8a367f8f62827eb3078ac3e49bdcf28ef84d0265a80e
-
SHA512
2c85e220952ff5403d830aea39b72ee184c75198a6494fdd6b9a3488c7dfa6c80c432f1a32c91485cda915396c8de4de0db1c2054c27e548311a2d83750fd1e6
-
SSDEEP
6291456:bwhTK6UJKRlMgnA+E1IVDqxkhjKp0SfTmLwgMhFt1:sTGJKRPA+E1+thjISUh1
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3412 Oxyco Rat V3.exe 3508 Oxyco Rat V3.exe 684 Oxyco Rat V3.exe 4816 Oxyco Rat V3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2536 3508 WerFault.exe 83 3724 4816 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oxyco Rat V3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oxyco Rat V3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1512 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1512 7zFM.exe Token: 35 1512 7zFM.exe Token: SeSecurityPrivilege 1512 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1512 7zFM.exe 1512 7zFM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3412 wrote to memory of 3508 3412 Oxyco Rat V3.exe 83 PID 3412 wrote to memory of 3508 3412 Oxyco Rat V3.exe 83 PID 3412 wrote to memory of 3508 3412 Oxyco Rat V3.exe 83 PID 684 wrote to memory of 4816 684 Oxyco Rat V3.exe 89 PID 684 wrote to memory of 4816 684 Oxyco Rat V3.exe 89 PID 684 wrote to memory of 4816 684 Oxyco Rat V3.exe 89
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Oxyco Android Pro v3.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4308
-
C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 8123⤵
- Program crash
PID:2536
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3508 -ip 35081⤵PID:3112
-
C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"C:\Users\Admin\Desktop\Oxyco Android Pro v3\Oxyco Rat V3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 7483⤵
- Program crash
PID:3724
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4816 -ip 48161⤵PID:808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9