74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Size

143KB
MD5

0429a939d7c18f883e022eef20f5b6c0
SHA1

ef7872a2552a99c15daa7fe97c67254dbd6a96b6
SHA256

74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e
SHA512

87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb
SSDEEP

1536:rB9HGSE2f9sUo2Fjrt4doHaWo25d5VpMaRczrHzv5k3AhB/uMXsy07vP1txk1ph4:fGb2XFjrdFoqcnHzSAhZXsy61txk1zY

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1180	orau.exe

Loads dropped DLL 2 IoCs

pid	Process
1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	orau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	orau.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1180	1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	28
PID 1816 wrote to memory of 1180	1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	28
PID 1816 wrote to memory of 1180	1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	28
PID 1816 wrote to memory of 1180	1816	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	28

C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
"C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\orau.exe
  C:\Users\Admin\AppData\Roaming\orau.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c6b7156e6216e490406f4c058d2b1fe9

SHA1
67180a162c2eced036abeca7f51e39bfab677423

SHA256
5651aa374d3b362af44e039c7294593a98f43e2a50ef46879a4a46003635d1d9

SHA512
12e7a8370697cfbccb396cb96fcd9bc3220d95ef3967521c43547838de6616e51d82405abd213cfd98aa368c9c645526dd59928f48da46e7b3da02b079f39b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
d120db8802fc00c7f42b6d678fb24fad

SHA1
1cd299880fe709e6956aa6b98662d3ca0e905605

SHA256
431e34c1872951da2075895d821b84411e5133a96bb4e39c010f7d9a865d53a8

SHA512
08c0e7bcbddd3a92a190ab2c45bd9a1db1ab1d83bdd3133b215c585adb265d1d0767929ea0435a3ed59bd8ec149801c5881f94e106c4bd1d22b03c55f9685de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
c6b5bb873620e5a6c54f1679c46ee8bf

SHA1
73ed92f2abbe2b3397d6dd8d66df0a4539129c30

SHA256
74690102197e15b20c92c179224a36cf3fa40ec3f7dcb6744f3a04a1de0efe26

SHA512
f89dbb3e0a6e22943dade7bf6a3668f1ba247af7a670f3503ea4431c52819373236eb9458eb128869408430e4fb1e2e8637e25e9a382a396a7fcf8913d5e21d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6529a638e5ce53c76edac77c95c4f7aa

SHA1
327cf2dc9436dd6645e2deb4af4141b6451f6103

SHA256
899aa6c0af19864f2908562ce723d351088119774ae31e2a54d2334e5dc5e12f

SHA512
b6e8b92e85b5b796f63971ac1cfc4dda827ed11916dbcebf18c7257417bb6ba26b7c502896d4a130fe8aeb0dc6c78d05ede3bc042ce101ea4471c6d6b7758325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
58a2820772b2b881db989b1453303455

SHA1
1e4b441737bd156e01008cdd41e42b18d6ea8b5b

SHA256
98d5bd3fbac37f0a9a02be6522526bfe1874af25990cab4e35bab44b45d98934

SHA512
d1e3018a0cc5031765602341db26db9e8beb6a1822c8d58be290b6ae0aaae3035690180976e074563e090205fcff8973c805f63a82523214a8296444c8f99d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\domain_profile[1].htm

Filesize
41KB

MD5
5ee8836a37e4b4c659023cf01924f949

SHA1
9e33ed2d297b4eb302645a285b049107e3b837c2

SHA256
3f6ca43fc6f5d0086cbac0b98e1942b33a040a3f17d903dc173d82c10549dec0

SHA512
400d147790b068f1f8edaf68487e55bb93c834bea90ae7a24999452018040fce702108c1fc5c392c8cb7e255042d1d5e9adf6e7caf5c9fa0c3ffa3d88265b06f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZE2RF4R2.txt

Filesize
175B

MD5
d54063ff5a18a595422c6b18180404b9

SHA1
14bd8251a008aac7744f0304c00288d17e41632e

SHA256
e6645cf29693dfceb0653b6f27cd11f2de73e402610a1147a085398bbef036b6

SHA512
27f89cfe4e131ecdf89fd88a1b32ca7e61c0e2dfa88095d759b5bcfe7e3518c29d2a2fdef6d5c053a3343961365216642766012e7eca637c0123f93cea56de37

Download Submit
C:\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
C:\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
memory/1180-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1816-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1816-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download