oblique | 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
14-05-2021 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
Size

5.3MB
MD5

fe76cfda06a226938e182b058877011a
SHA1

ac0c8fb27ea00530d95d00809756d9a71c6b137a
SHA256

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b
SHA512

08a434d0b6802c80119f3a380975194cfc75ccd056bf42e353cfd4c381c2e628b52ab3d1f45051964945f8db1411f11437f460ed2c328a19643d6aa2027dacde

Score

10^/10

oblique trojan

Malware Config

Signatures

ObliqueRAT
Remote Access Trojan discovered in early 2020.
trojan oblique
Executes dropped EXE 3 IoCs

Processes:

frame.exelphsi.exehrss.exe

pid process

1432 frame.exe
1744 lphsi.exe
1724 hrss.exe
Drops startup file 1 IoCs

Processes:

hrss.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\script.lnk hrss.exe
Loads dropped DLL 4 IoCs

Processes:

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exeframe.exehrss.exe

pid process

452 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
1432 frame.exe
1432 frame.exe
1724 hrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1756 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1756 vlc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vlc.exe

description pid process

Token: 33 1756 vlc.exe
Token: SeIncBasePriorityPrivilege 1756 vlc.exe

pid	process
1432	frame.exe
1744	lphsi.exe
1724	hrss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\script.lnk	hrss.exe

pid	process
452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
1432	frame.exe
1432	frame.exe
1724	hrss.exe

description	pid	process
Token: 33	1756	vlc.exe
Token: SeIncBasePriorityPrivilege	1756	vlc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

vlc.exe

pid	process
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

1756 vlc.exe
1756 vlc.exe
1756 vlc.exe
1756 vlc.exe
1756 vlc.exe
1756 vlc.exe
1756 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1756 vlc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exeframe.exe

description	pid	process	target process
PID 452 wrote to memory of 1432	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	frame.exe
PID 452 wrote to memory of 1432	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	frame.exe
PID 452 wrote to memory of 1432	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	frame.exe
PID 452 wrote to memory of 1432	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	frame.exe
PID 452 wrote to memory of 1756	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	vlc.exe
PID 452 wrote to memory of 1756	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	vlc.exe
PID 452 wrote to memory of 1756	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	vlc.exe
PID 452 wrote to memory of 1756	452	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	vlc.exe
PID 1432 wrote to memory of 1744	1432	frame.exe	lphsi.exe
PID 1432 wrote to memory of 1744	1432	frame.exe	lphsi.exe
PID 1432 wrote to memory of 1744	1432	frame.exe	lphsi.exe
PID 1432 wrote to memory of 1744	1432	frame.exe	lphsi.exe
PID 1432 wrote to memory of 1724	1432	frame.exe	hrss.exe
PID 1432 wrote to memory of 1724	1432	frame.exe	hrss.exe
PID 1432 wrote to memory of 1724	1432	frame.exe	hrss.exe
PID 1432 wrote to memory of 1724	1432	frame.exe	hrss.exe

C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
"C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Public\Video\frame.exe
  "C:\Users\Public\Video\frame.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Public\Video\lphsi.exe
    "C:\Users\Public\Video\lphsi.exe"
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\Users\Public\Video\hrss.exe
    "C:\Users\Public\Video\hrss.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    PID:1724
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Video\frame.exe

MD5
2d411dc28a5faeb5893d7769b7c3b8a4

SHA1
1db46d9a9e27146ca12dcc9caff51ede700cf026

SHA256
b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac

SHA512
5aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804

Download Submit
C:\Users\Public\Video\frame.exe

MD5
2d411dc28a5faeb5893d7769b7c3b8a4

SHA1
1db46d9a9e27146ca12dcc9caff51ede700cf026

SHA256
b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac

SHA512
5aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804

Download Submit
C:\Users\Public\Video\hrss.exe

MD5
747d4870a9e1504b1f802fce83704bb1

SHA1
cb5b1fb54a6f1081d985dc44462983e31778d9d5

SHA256
3a04dd93ec9da19781ba97412b466452a9682a390f2cf4426f722e424465fb19

SHA512
03adf5635828256581a4ec708c3734eebd11e603f9a4e3bd6a3149fcf525a85bf45ad4b880b0de37b9658794c88ad3cd6f9a4a43e4f6ad4bd01110d72a502a12

Download Submit
C:\Users\Public\Video\lphsi.exe

MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf

SHA1
f0fa26da45d04ca36e9eb0acbc2d8ddce881e096

SHA256
9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

SHA512
c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e

Download Submit
C:\Users\Public\Video\lphsi.exe

MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf

SHA1
f0fa26da45d04ca36e9eb0acbc2d8ddce881e096

SHA256
9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

SHA512
c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e

Download Submit
C:\Users\Public\Video\movie.mp4

MD5
6db2f5ec1a147474049457da8a8b4e19

SHA1
2c27ea1a99da4d75e56bb1db0ba4476ef024db90

SHA256
f2f673e454a9b91653b4c0dbaa12bafaef2151013dc78c9235339c4ca03c48e3

SHA512
fc8eb7937940c08551b120408ce4920de5aa4aee3f53aab7e16328d4572c1dc5397fbd8f1b5f185f32b0addf31a35272ec8bf390725b566427eff2f801eb27d8

Download Submit
\Users\Public\Video\frame.exe

MD5
2d411dc28a5faeb5893d7769b7c3b8a4

SHA1
1db46d9a9e27146ca12dcc9caff51ede700cf026

SHA256
b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac

SHA512
5aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804

Download Submit
\Users\Public\Video\hrss.exe

MD5
747d4870a9e1504b1f802fce83704bb1

SHA1
cb5b1fb54a6f1081d985dc44462983e31778d9d5

SHA256
3a04dd93ec9da19781ba97412b466452a9682a390f2cf4426f722e424465fb19

SHA512
03adf5635828256581a4ec708c3734eebd11e603f9a4e3bd6a3149fcf525a85bf45ad4b880b0de37b9658794c88ad3cd6f9a4a43e4f6ad4bd01110d72a502a12

Download Submit
\Users\Public\Video\lphsi.exe

MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf

SHA1
f0fa26da45d04ca36e9eb0acbc2d8ddce881e096

SHA256
9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

SHA512
c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e

Download Submit
\Users\Public\Video\lphsi.exe

MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf

SHA1
f0fa26da45d04ca36e9eb0acbc2d8ddce881e096

SHA256
9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

SHA512
c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e

Download Submit
memory/452-59-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1432-61-0x0000000000000000-mapping.dmp

Download
memory/1724-70-0x0000000000000000-mapping.dmp

Download
memory/1744-67-0x0000000000000000-mapping.dmp

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download