Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
Resource
win10v2004-20220812-en
General
-
Target
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe
-
Size
143KB
-
MD5
0429a939d7c18f883e022eef20f5b6c0
-
SHA1
ef7872a2552a99c15daa7fe97c67254dbd6a96b6
-
SHA256
74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e
-
SHA512
87582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb
-
SSDEEP
1536:rB9HGSE2f9sUo2Fjrt4doHaWo25d5VpMaRczrHzv5k3AhB/uMXsy07vP1txk1ph4:fGb2XFjrdFoqcnHzSAhZXsy61txk1zY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3688 orau.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run orau.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe" orau.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run 74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "C:\\Users\\Admin\\AppData\\Roaming\\orau.exe" 74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3688 2796 74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe 81 PID 2796 wrote to memory of 3688 2796 74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe 81 PID 2796 wrote to memory of 3688 2796 74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe"C:\Users\Admin\AppData\Local\Temp\74d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\orau.exeC:\Users\Admin\AppData\Roaming\orau.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3688
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize1KB
MD5c6b7156e6216e490406f4c058d2b1fe9
SHA167180a162c2eced036abeca7f51e39bfab677423
SHA2565651aa374d3b362af44e039c7294593a98f43e2a50ef46879a4a46003635d1d9
SHA51212e7a8370697cfbccb396cb96fcd9bc3220d95ef3967521c43547838de6616e51d82405abd213cfd98aa368c9c645526dd59928f48da46e7b3da02b079f39b81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273
Filesize280B
MD5d120db8802fc00c7f42b6d678fb24fad
SHA11cd299880fe709e6956aa6b98662d3ca0e905605
SHA256431e34c1872951da2075895d821b84411e5133a96bb4e39c010f7d9a865d53a8
SHA51208c0e7bcbddd3a92a190ab2c45bd9a1db1ab1d83bdd3133b215c585adb265d1d0767929ea0435a3ed59bd8ec149801c5881f94e106c4bd1d22b03c55f9685de5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize438B
MD5cb889a90f3b98c524c62e44e6805b505
SHA10ba35cde8c99f599506efc1a9492f502edda54cb
SHA256c9fec1d7f6b7a35d1df3587cc99163dcba2bb6bc9f5d7d62e86cd80299af4322
SHA512e0838fc22ce211b6e4e0a1ef5f8a56b43de8e4b09ba7222583771883141fc9f2cc487fb86faabcf924dfaea64a2ee4e9dd0eea7c0d4e95a625c480b402f3397d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273
Filesize426B
MD55737ba97f2080b08930914eabc918d48
SHA17341197abf973a30253a79dfc14bbb8ea296f6e1
SHA2562d7087d7107ae4088e306e3e8ab31edc632abb1634afc42c9197e69fc524cdeb
SHA5124360beec33c7ca4890f8308e365ada508276f7a1a15fab5897dca425900c70e253c7bb5b23c59c0090669c7c36716e261df38ba2892d21019255f6ee8e7f55ba
-
Filesize
41KB
MD5ec0d0e15178e9374be1099744a7a7419
SHA1e94d173fad57166c3d61162ef5f9d5c6b70cccb7
SHA256b3e0b2d6b6490146f42fbb6d320a80b319005d77007c960b9c1ec6caf48bab66
SHA512c77f92807646e2ca184c7ecd6eb8ee6d434b5cd5940936d749dea526f9c38d6189b04886e328cd9ca01b0c55d250899037eb7f9ad7166501f67db5e59af32468
-
Filesize
143KB
MD50429a939d7c18f883e022eef20f5b6c0
SHA1ef7872a2552a99c15daa7fe97c67254dbd6a96b6
SHA25674d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e
SHA51287582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb
-
Filesize
143KB
MD50429a939d7c18f883e022eef20f5b6c0
SHA1ef7872a2552a99c15daa7fe97c67254dbd6a96b6
SHA25674d2c8c4855ff08184c9662f9d28c2c7d28536f33cf9231092bfba63012c5c2e
SHA51287582af6060cad0197c0b1006ef0a516f8561fca1c2c59ffcde9cb7feda0b796545f7a14e7c9c2da6b90b62878a6a2cb75ab92f982e7103ce0805dbc910a3afb