94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a

Analysis

max time kernel
131s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe
Size

4.4MB
MD5

e965c364b368f1b7c9272dec67176722
SHA1

61f3740ed229e2f05fb4a7f0f0e8980049e9bd6b
SHA256

94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a
SHA512

f4411d7b97f21016c343eb75bd782670012b66fbde5d615842f057bf109d6eb5734b4636abae94f534d6de5164647cef823df232d6c6481db330a5c9a70a78ae
SSDEEP

98304:Hfc31RBC96etJeZ3G9LWme1lZW03xLiSJOIQMEy8PyEpzVQa/H1YMlJ:HM/+64JeBILWmeLw03dRJpP8PHb/HNJ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4112	USOSharedOracle-Type2.1.0.4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USOSharedOracle-Type2.1.0.4 = "C:\\ProgramData\\USOSharedOracle-Type2.1.0.4\\USOSharedOracle-Type2.1.0.4.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87
PID 4324 wrote to memory of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87
PID 4324 wrote to memory of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87
PID 4324 wrote to memory of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87
PID 4324 wrote to memory of 2904	4324	94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe	87
PID 2904 wrote to memory of 4112	2904	AppLaunch.exe	94
PID 2904 wrote to memory of 4112	2904	AppLaunch.exe	94

C:\Users\Admin\AppData\Local\Temp\94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe
"C:\Users\Admin\AppData\Local\Temp\94e120968b8ee30ad2bc1377d2b7506c884c0db61188b8fd69c36ba196796b7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\ProgramData\USOSharedOracle-Type2.1.0.4\USOSharedOracle-Type2.1.0.4.exe
    "C:\ProgramData\USOSharedOracle-Type2.1.0.4\USOSharedOracle-Type2.1.0.4.exe"
    3⤵
    - Executes dropped EXE
    PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOSharedOracle-Type2.1.0.4\USOSharedOracle-Type2.1.0.4.exe

Filesize
640.4MB

MD5
4580473f71f7566664b4044ea82a6274

SHA1
b77df0a94f016f7e7f0e0620436d1c156b446766

SHA256
f613954d2483755e755bb5b6d6be5e19ce3545e92de64e8355dab47c8089626b

SHA512
06fc3de6abbd23d22d5876f15fdb1a25c4d4f46863858d3ffc7cbc0f9951feb5446e7cae29dd593dfefb1b86d843ea690fb52d04edda8c59a6aff923e64bdf79

Download Submit
C:\ProgramData\USOSharedOracle-Type2.1.0.4\USOSharedOracle-Type2.1.0.4.exe

Filesize
633.1MB

MD5
b22abe63432e8b32bc737a40806cce63

SHA1
e992a942573e9229d559ce82927fa858babe5978

SHA256
f534f7f60c53344bb3f560a7e21f28e317e137f562e9b20ce383268c233d9050

SHA512
316ae675d7b6fd3e0f75b52e349c4912547467feb83884a00a500d512d576d287711dc394f9ac83a9c754b0f3690d218a4a737a8fd40c707922fd507e0aa846e

Download Submit
C:\ProgramData\USOSharedOracle-Type2.1.0.4\USOSharedOracle-Type2.1.0.4.exe

Filesize
643.1MB

MD5
9e8cc29620e9e29c321f3b16976ce826

SHA1
16ce0ad98c7290e1e85986c70677555012b3a652

SHA256
a2ecb544a7ce0a69a91d53712533adbc90e916f220c8ef059cff7f6df6f8c940

SHA512
ebfb81527f77798dc573cc423de2274022f0a8ca8dfe466bd6a11c584cb3a831a4b90f985bb1d8b269333bd0b59f662770ded590a04eafa86a7326fd64b8370d

Download Submit
memory/2904-134-0x0000000000910000-0x0000000000D6C000-memory.dmp

Filesize
4.4MB

Download
memory/2904-139-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/2904-140-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/2904-141-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2904-142-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/2904-143-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2904-144-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2904-145-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download