74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

General

Target

74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Size

143KB
MD5

0429a939d7c18f883e022eef20f5b6c0
SHA1

ef7872a2552a99c15daa7fe97c67254dbd6a96b6
SHA256

74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e
SHA512

87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb
SSDEEP

1536:rB9HGSE2f9sUo2Fjrt4doHaWo25d5VpMaRczrHzv5k3AhB/uMXsy07vP1txk1ph4:fGb2XFjrdFoqcnHzSAhZXsy61txk1zY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3688	orau.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	orau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	orau.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe"	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3688	2796	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	81
PID 2796 wrote to memory of 3688	2796	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	81
PID 2796 wrote to memory of 3688	2796	74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe	81

C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
"C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\orau.exe
  C:\Users\Admin\AppData\Roaming\orau.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c6b7156e6216e490406f4c058d2b1fe9

SHA1
67180a162c2eced036abeca7f51e39bfab677423

SHA256
5651aa374d3b362af44e039c7294593a98f43e2a50ef46879a4a46003635d1d9

SHA512
12e7a8370697cfbccb396cb96fcd9bc3220d95ef3967521c43547838de6616e51d82405abd213cfd98aa368c9c645526dd59928f48da46e7b3da02b079f39b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
d120db8802fc00c7f42b6d678fb24fad

SHA1
1cd299880fe709e6956aa6b98662d3ca0e905605

SHA256
431e34c1872951da2075895d821b84411e5133a96bb4e39c010f7d9a865d53a8

SHA512
08c0e7bcbddd3a92a190ab2c45bd9a1db1ab1d83bdd3133b215c585adb265d1d0767929ea0435a3ed59bd8ec149801c5881f94e106c4bd1d22b03c55f9685de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
cb889a90f3b98c524c62e44e6805b505

SHA1
0ba35cde8c99f599506efc1a9492f502edda54cb

SHA256
c9fec1d7f6b7a35d1df3587cc99163dcba2bb6bc9f5d7d62e86cd80299af4322

SHA512
e0838fc22ce211b6e4e0a1ef5f8a56b43de8e4b09ba7222583771883141fc9f2cc487fb86faabcf924dfaea64a2ee4e9dd0eea7c0d4e95a625c480b402f3397d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
5737ba97f2080b08930914eabc918d48

SHA1
7341197abf973a30253a79dfc14bbb8ea296f6e1

SHA256
2d7087d7107ae4088e306e3e8ab31edc632abb1634afc42c9197e69fc524cdeb

SHA512
4360beec33c7ca4890f8308e365ada508276f7a1a15fab5897dca425900c70e253c7bb5b23c59c0090669c7c36716e261df38ba2892d21019255f6ee8e7f55ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YLPV06K\domain_profile[1].htm

Filesize
41KB

MD5
ec0d0e15178e9374be1099744a7a7419

SHA1
e94d173fad57166c3d61162ef5f9d5c6b70cccb7

SHA256
b3e0b2d6b6490146f42fbb6d320a80b319005d77007c960b9c1ec6caf48bab66

SHA512
c77f92807646e2ca184c7ecd6eb8ee6d434b5cd5940936d749dea526f9c38d6189b04886e328cd9ca01b0c55d250899037eb7f9ad7166501f67db5e59af32468

Download Submit
C:\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
C:\Users\Admin\AppData\Roaming\orau.exe

Filesize
143KB

MD5
0429a939d7c18f883e022eef20f5b6c0

SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6

SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e

SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb

Download Submit
memory/2796-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing