Analysis Report OII9x4FeW7.exe

Overview

General Information

Sample Name:	OII9x4FeW7.exe
Analysis ID:	356280
MD5:	ff7d3b6003c9058e40ae38a6a7efe40c
SHA1:	842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256:	c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Tags:	exeYoungLotus
Most interesting Screenshot:

Detection

Mimikatz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mimikatz

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables driver privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Spawns drivers

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: OII9x4FeW7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System32\drivers\QAssist.sys	Avira: detection malicious, Label: RKIT/Agent.ccibt
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\System32\drivers\QAssist.sys	ReversingLabs: Detection: 46%

Multi AV Scanner detection for submitted file

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%			Perma Link
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OII9x4FeW7.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Networking:

Uses ping.exe to check the status of other devices and networks

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 58.218.67.253:281

Source: unknown

DNS traffic detected: queries for: s2010218.f3322.net

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth

Creates driver files

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Creates files inside the system directory

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Windows\System32\drivers\QAssist.sys 6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B

Enables driver privileges

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Process token adjusted: Load Driver

Jump to behavior

PE file contains strange resources

Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247283379.0000000002500000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OII9x4FeW7.exe

Spawns drivers

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssist

Jump to behavior

Uses 32bit PE files

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: QAssist.sys.2.dr	Binary string: \Device\QAssist\DosDevices\QAssist
Source: QAssist.sys.2.dr	Binary string: \Device\

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@3/2

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\87S2tba0tb7QCLOztLTQEAn6pg==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\OII9x4FeW7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OII9x4FeW7.exe 'C:\Users\user\Desktop\OII9x4FeW7.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .data

PE file contains an invalid checksum

Source: Ogxog.exe.1.dr	Static PE information: real checksum: 0x6fb56 should be: 0x66380
Source: OII9x4FeW7.exe	Static PE information: real checksum: 0x6fb56 should be: 0x66380

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Code function: 1_2_0045E860 push eax; ret		1_2_0045E88E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Code function: 2_2_0045E860 push eax; ret		2_2_0045E88E

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe			Jump to dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File created: C:\Windows\System32\drivers\QAssist.sys			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Creates or modifies windows services

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 509			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 407			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep count: 509 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -30540000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6192	Thread sleep count: 407 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045C790 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

1_2_0045C790

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: vsserv.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: cfp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: KSafeTray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: rtvscan.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: ashDisp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: TMBMSRV.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: AYAgent.aye
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: RavMonD.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information:

Yara detected Mimikatz

Source: Yara match	File source: 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OII9x4FeW7.exe PID: 3604, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ogxog.exe PID: 6188, type: MEMORY
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
58.218.67.253	unknown	China		134769	CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
s2010218.f3322.net	58.218.67.253	true

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: OII9x4FeW7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System32\drivers\QAssist.sys	Avira: detection malicious, Label: RKIT/Agent.ccibt
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\System32\drivers\QAssist.sys	ReversingLabs: Detection: 46%

Multi AV Scanner detection for submitted file

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%			Perma Link
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Machine Learning detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OII9x4FeW7.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Networking:

Uses ping.exe to check the status of other devices and networks

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 58.218.67.253:281

Source: unknown

DNS traffic detected: queries for: s2010218.f3322.net

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://ptlogin2.qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: http://qun.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://ssl.ptlogin2.qq.com%s
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth

Creates driver files

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Creates files inside the system directory

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Windows\System32\drivers\QAssist.sys 6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B

Enables driver privileges

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Process token adjusted: Load Driver

Jump to behavior

PE file contains strange resources

Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OII9x4FeW7.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ogxog.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OII9x4FeW7.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247283379.0000000002500000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OII9x4FeW7.exe

Spawns drivers

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssist

Jump to behavior

Uses 32bit PE files

Source: OII9x4FeW7.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: QAssist.sys.2.dr	Binary string: \Device\QAssist\DosDevices\QAssist
Source: QAssist.sys.2.dr	Binary string: \Device\

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@3/2

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\87S2tba0tb7QCLOztLTQEAn6pg==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: OII9x4FeW7.exe	Virustotal: Detection: 73%
Source: OII9x4FeW7.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File read: C:\Users\user\Desktop\OII9x4FeW7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OII9x4FeW7.exe 'C:\Users\user\Desktop\OII9x4FeW7.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr
Source:	Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .data

PE file contains an invalid checksum

Source: Ogxog.exe.1.dr	Static PE information: real checksum: 0x6fb56 should be: 0x66380
Source: OII9x4FeW7.exe	Static PE information: real checksum: 0x6fb56 should be: 0x66380

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Code function: 1_2_0045E860 push eax; ret		1_2_0045E88E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Code function: 2_2_0045E860 push eax; ret		2_2_0045E88E

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\system32\drivers\QAssist.sys

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe			Jump to dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	File created: C:\Windows\System32\drivers\QAssist.sys			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

File created: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Creates or modifies windows services

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 509			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Window / User API: threadDelayed 407			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sys

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep count: 509 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -30540000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6192	Thread sleep count: 407 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0045F704

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe'	Jump to behavior
Source: C:\Users\user\Desktop\OII9x4FeW7.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1	Jump to behavior

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndProgman%s.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject

Source: C:\Users\user\Desktop\OII9x4FeW7.exe

Code function: 1_2_0045C790 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

1_2_0045C790

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: vsserv.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: cfp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: KSafeTray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: rtvscan.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: ashDisp.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: TMBMSRV.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: AYAgent.aye
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: RavMonD.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information:

Yara detected Mimikatz

Source: Yara match	File source: 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OII9x4FeW7.exe PID: 3604, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ogxog.exe PID: 6188, type: MEMORY
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE

ID:	356280
Product:	CloudBasic
Start time:	20:41:01
Start date:	22.02.2021
Sample:	OII9x4FeW7.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ff7d3b6003c9058e40ae38a6a7efe40c
SHA1:	842bbfb81f4a65112bc2d8e4aff8b976e5db9a55
SHA256:	c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FF7D3B6003C9058E40AE38A6A7EFE40C	842BBFB81F4A65112BC2D8E4AFF8B976E5DB9A55	C3304EC52968793AE709CF7C7CAAD6ACAE0BDED8088F06CEFBEE55BDE0A9224F
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\System32\drivers\QAssist.sys	PE32+ executable (native) x86-64, for MS Windows	4E34C068E764AD0FF0CB58BC4F143197	1A392A469FC8C65D80055C1A7AAEE27BF5EBE7C4	6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
\Device\Null	ASCII text, with CRLF line terminators	2E512EE24AAB186D09E9A1F9B72A0569	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F

Analysis Report OII9x4FeW7.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains