oblique | 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b

General

Target

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
Size

5.3MB
MD5

fe76cfda06a226938e182b058877011a
SHA1

ac0c8fb27ea00530d95d00809756d9a71c6b137a
SHA256

438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b
SHA512

08a434d0b6802c80119f3a380975194cfc75ccd056bf42e353cfd4c381c2e628b52ab3d1f45051964945f8db1411f11437f460ed2c328a19643d6aa2027dacde

Score

10^/10

oblique trojan

Malware Config

Signatures

ObliqueRAT
Remote Access Trojan discovered in early 2020.
trojan oblique

Executes dropped EXE 3 IoCs

pid	Process
2532	frame.exe
3752	lphsi.exe
4040	hrss.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\script.lnk	hrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3028	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3640	AUDIODG.EXE
Token: 33	3028	vlc.exe
Token: SeIncBasePriorityPrivilege	3028	vlc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe
3028	vlc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2532	2544	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	75
PID 2544 wrote to memory of 2532	2544	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	75
PID 2544 wrote to memory of 2532	2544	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	75
PID 2544 wrote to memory of 3028	2544	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	76
PID 2544 wrote to memory of 3028	2544	438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe	76
PID 2532 wrote to memory of 3752	2532	frame.exe	77
PID 2532 wrote to memory of 3752	2532	frame.exe	77
PID 2532 wrote to memory of 3752	2532	frame.exe	77
PID 2532 wrote to memory of 4040	2532	frame.exe	78
PID 2532 wrote to memory of 4040	2532	frame.exe	78
PID 2532 wrote to memory of 4040	2532	frame.exe	78

C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
"C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Public\Video\frame.exe
  "C:\Users\Public\Video\frame.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Public\Video\lphsi.exe
    "C:\Users\Public\Video\lphsi.exe"
    3⤵
    - Executes dropped EXE
    PID:3752
- - C:\Users\Public\Video\hrss.exe
    "C:\Users\Public\Video\hrss.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    PID:4040
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x214
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads