Overview

overview

10

Static

static

0283c0f023...5e.exe

windows7_x64

10

0283c0f023...5e.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    28-08-2020 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe

  • Size

    5.4MB

  • MD5

    d7d6889bfa96724f7b3f951bc06e8c02

  • SHA1

    a897f6fb6fff70c71b224caea80846bcd264cf1e

  • SHA256

    0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e

  • SHA512

    0aabb090791d8b7c5af273793d61bc7ef164343d027e12b58faec66dbdddb724f58b267a423088ce06c52420af80ffe276b448cd3844fee4f929a98b0f64ae75

Score
10/10
spywarepersistencetrojanoblique

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • ObliqueRAT

    Remote Access Trojan discovered in early 2020.

    trojanoblique
  • Executes dropped EXE 7 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • JavaScript code in executable 5 IoCs
  • Drops file in Program Files directory 121 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe
    "C:\Users\Admin\AppData\Local\Temp\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Public\Video\frame.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Users\Public\Video\frame.exe
          C:\Users\Public\Video\frame.exe
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3864
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Public\Video\lphsi.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Users\Public\Video\lphsi.exe
              C:\Users\Public\Video\lphsi.exe
              6⤵
              • Executes dropped EXE
              PID:3964
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Public\Video\hrss.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Users\Public\Video\hrss.exe
              C:\Users\Public\Video\hrss.exe
              6⤵
              • Executes dropped EXE
              • Drops startup file
              PID:3720
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3852
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1640
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x404
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads