Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
28-08-2020 12:51
General
-
Target
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe
-
Size
5.4MB
-
MD5
d7d6889bfa96724f7b3f951bc06e8c02
-
SHA1
a897f6fb6fff70c71b224caea80846bcd264cf1e
-
SHA256
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
-
SHA512
0aabb090791d8b7c5af273793d61bc7ef164343d027e12b58faec66dbdddb724f58b267a423088ce06c52420af80ffe276b448cd3844fee4f929a98b0f64ae75
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
ObliqueRAT
Remote Access Trojan discovered in early 2020.
-
Executes dropped EXE 7 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
JavaScript code in executable 8 IoCs
-
Drops file in Program Files directory 91 IoCs
-
Drops file in Windows directory 7 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"C:\Users\Admin\AppData\Local\Temp\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Public\Video\frame.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Video\frame.exeC:\Users\Public\Video\frame.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Public\Video\lphsi.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Video\lphsi.exeC:\Users\Public\Video\lphsi.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Public\Video\hrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Video\hrss.exeC:\Users\Public\Video\hrss.exe6⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
-
-
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
2.5MB
-
-
-
-
-
-
-
-