418e52c649bb3c98b150c91a38153baa70c775e82212dcb11b1b479d27056266

Analysis

max time kernel
112s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2022, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sotfware.exe
Size

4.8MB
MD5

e7cff4687088a6622af7567c8e4f7fc3
SHA1

e693f7f449bd008d76e1afac261cff929156efc6
SHA256

418e52c649bb3c98b150c91a38153baa70c775e82212dcb11b1b479d27056266
SHA512

ad5bbc6557d07fd110715e17ebf4f63ae3a36e5cf88cd7ad2fd27094964382fc487693bfd25aed58818ef1d2487aa87cdb5cb055200e1da69f55a69bb65891a7
SSDEEP

49152:CfQqO8QHKL7zeXfM6CvifgaAwS0ct1CPwDv3uF/XjxBZdKdaRH7wW7Z0:Na7zevblfgaAQo1CPwDv3uF/XmgRt0

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4264	OculusSetup.exe

Loads dropped DLL 2 IoCs

pid	Process
4264	OculusSetup.exe
4264	OculusSetup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	OculusSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OculusSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	OculusSetup.exe
Token: SeDebugPrivilege	4876	taskmgr.exe
Token: SeSystemProfilePrivilege	4876	taskmgr.exe
Token: SeCreateGlobalPrivilege	4876	taskmgr.exe
Token: 33	4876	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4876	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4264	4928	Sotfware.exe	83
PID 4928 wrote to memory of 4264	4928	Sotfware.exe	83
PID 4928 wrote to memory of 4264	4928	Sotfware.exe	83

C:\Users\Admin\AppData\Local\Temp\Sotfware.exe
"C:\Users\Admin\AppData\Local\Temp\Sotfware.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\OculusSetup-c983728b-f740-4815-9fc5-4c4d3c8b76f5\OculusSetup.exe
  C:\Users\Admin\AppData\Local\Temp\\OculusSetup-c983728b-f740-4815-9fc5-4c4d3c8b76f5\OculusSetup.exe --setupPath "C:\Users\Admin\AppData\Local\Temp\Sotfware.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OculusSetup-c983728b-f740-4815-9fc5-4c4d3c8b76f5\OculusSetup.exe

Filesize
4.4MB

MD5
081c2fe6ee93a8809085576e169ea9f0

SHA1
84acb16818ea446dd9a5f7cbbbc614fc69cca19f

SHA256
335b798c1782f548ea9edaefee1f8b4cc002aab7344f8f45404b88529b6fd750

SHA512
1f6b6909706474569d029a4bc8cbd492becd64566b64ce7e6aeb91e66cb000397aff771f580b91d31fab0e4c9775f7fe69217abd077fe669a0b3f14eda2309a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OculusSetup-c983728b-f740-4815-9fc5-4c4d3c8b76f5\OculusSetup.exe

Filesize
4.4MB

MD5
081c2fe6ee93a8809085576e169ea9f0

SHA1
84acb16818ea446dd9a5f7cbbbc614fc69cca19f

SHA256
335b798c1782f548ea9edaefee1f8b4cc002aab7344f8f45404b88529b6fd750

SHA512
1f6b6909706474569d029a4bc8cbd492becd64566b64ce7e6aeb91e66cb000397aff771f580b91d31fab0e4c9775f7fe69217abd077fe669a0b3f14eda2309a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OculusSetup-f2a2e83b-844f-4109-9156-42086323eb23\DaybreakNative.dll

Filesize
91KB

MD5
7384b4d44fd6ab9bc7b3f7140ff2fe8f

SHA1
a4d8b5f7a1796e0d1435b4ec8cc4961623e41431

SHA256
840d9f8602f2e370ef9ef99249e79755bba6bc9bc10c74d34df5e34899f10239

SHA512
05296f161d7e37738bf77e2afa4e76c70ab024a56b4d9b9a77811f32e87695177235ca31ed8f9ffbafb4ff65c3b966ca15304447b80ddcf2577cf2e3d44656e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OculusSetup-f2a2e83b-844f-4109-9156-42086323eb23\libcrypto.dll

Filesize
1.6MB

MD5
5e346d3611a909c930c81a1b852c7d17

SHA1
0dee1db6b73353796690d7bdb2caf0f49b60f71d

SHA256
ad2698aa52e4ecfde9faae4793e871e9db4c4d5c927b0ac44ff2067a2ea491e1

SHA512
2f25807a1220de2ef0cbbee5ce6b251d2a81e9a60e1ba29cf3cc72a518c605fed80a86e7c661a25023eb370e1827fb74dd024db62485380a0f3f98287337e934

Download Submit
memory/4264-144-0x0000000009830000-0x00000000098C2000-memory.dmp

Filesize
584KB

Download
memory/4264-147-0x0000000009800000-0x0000000009808000-memory.dmp

Filesize
32KB

Download
memory/4264-138-0x0000000006830000-0x000000000687A000-memory.dmp

Filesize
296KB

Download
memory/4264-139-0x00000000068F0000-0x0000000006956000-memory.dmp

Filesize
408KB

Download
memory/4264-140-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/4264-141-0x0000000007C20000-0x0000000007C32000-memory.dmp

Filesize
72KB

Download
memory/4264-136-0x0000000006340000-0x0000000006502000-memory.dmp

Filesize
1.8MB

Download
memory/4264-143-0x0000000007E30000-0x0000000007E96000-memory.dmp

Filesize
408KB

Download
memory/4264-135-0x0000000000DE0000-0x0000000001246000-memory.dmp

Filesize
4.4MB

Download
memory/4264-146-0x00000000099B0000-0x0000000009A84000-memory.dmp

Filesize
848KB

Download
memory/4264-137-0x0000000006A40000-0x0000000006F6C000-memory.dmp

Filesize
5.2MB

Download
memory/4264-148-0x000000000C7C0000-0x000000000C7F8000-memory.dmp

Filesize
224KB

Download
memory/4264-149-0x00000000099A0000-0x00000000099AE000-memory.dmp

Filesize
56KB

Download
memory/4264-150-0x000000000F070000-0x000000000F0E6000-memory.dmp

Filesize
472KB

Download
memory/4264-151-0x000000000BAB0000-0x000000000BACE000-memory.dmp

Filesize
120KB

Download
memory/4264-152-0x0000000005BDA000-0x0000000005BDF000-memory.dmp

Filesize
20KB

Download
memory/4264-153-0x0000000010080000-0x0000000010084000-memory.dmp

Filesize
16KB

Download
memory/4264-154-0x0000000005BDA000-0x0000000005BDF000-memory.dmp

Filesize
20KB

Download
memory/4264-155-0x0000000010080000-0x0000000010084000-memory.dmp

Filesize
16KB

Download
memory/4264-156-0x0000000005BDA000-0x0000000005BDF000-memory.dmp

Filesize
20KB

Download
memory/4264-157-0x0000000010080000-0x0000000010084000-memory.dmp

Filesize
16KB

Download