Overview

overview

7

Static

static

1

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

7

Analysis

  • max time kernel
    69s
  • max time network
    181s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-03-2023 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1636b42450bbec6f91c099825477a0808dd2f9b86def6f3e11610b3fd7ea4e0.exe

  • Size

    4.2MB

  • MD5

    7ac332f16634fcee99672af0867d872f

  • SHA1

    2aefd28de39e62a0f37c4119cc7a3155581fc2ae

  • SHA256

    f1636b42450bbec6f91c099825477a0808dd2f9b86def6f3e11610b3fd7ea4e0

  • SHA512

    5be5d4bf5a6ed2c117294f6e28a5f56301257a39407795834831223db9bb95c0e496dcacc14d4968c597679771f2eab1c12416c0e2e931354ea7995dd8e49e32

  • SSDEEP

    49152:/x28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4C87:cutKcm9yB4iIEiB2+a7eUku7

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1636b42450bbec6f91c099825477a0808dd2f9b86def6f3e11610b3fd7ea4e0.exe
    "C:\Users\Admin\AppData\Local\Temp\f1636b42450bbec6f91c099825477a0808dd2f9b86def6f3e11610b3fd7ea4e0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3968
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2460
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:984
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7" /TR "C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4476
      • C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
        "C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Executes dropped EXE
        PID:3076
  • C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
    C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
    1⤵
    • Executes dropped EXE
    PID:2872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
    Filesize

    715.7MB

    MD5

    017b3f683419ec7ce62e437bf74976c3

    SHA1

    22a51bc29688bf3acc440a4b3a5cd71aecfe84b1

    SHA256

    eb7c27cad360ab7bda63f2905908bc74e166256fe5ca4a290d7429d5feded6ac

    SHA512

    868f310834ce007466fd48340f419beee04afef691e904a021dbc88b9e838466055901dd1fc46bff26c24d30d7c17f37d69a84d7738e23267655449ed98fa43c

    Download Submit

  • C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
    Filesize

    715.7MB

    MD5

    017b3f683419ec7ce62e437bf74976c3

    SHA1

    22a51bc29688bf3acc440a4b3a5cd71aecfe84b1

    SHA256

    eb7c27cad360ab7bda63f2905908bc74e166256fe5ca4a290d7429d5feded6ac

    SHA512

    868f310834ce007466fd48340f419beee04afef691e904a021dbc88b9e838466055901dd1fc46bff26c24d30d7c17f37d69a84d7738e23267655449ed98fa43c

    Download Submit

  • C:\ProgramData\OracleSoftwareDistribution-type8.3.3.7\OracleSoftwareDistribution-type8.3.3.7.exe
    Filesize

    715.7MB

    MD5

    017b3f683419ec7ce62e437bf74976c3

    SHA1

    22a51bc29688bf3acc440a4b3a5cd71aecfe84b1

    SHA256

    eb7c27cad360ab7bda63f2905908bc74e166256fe5ca4a290d7429d5feded6ac

    SHA512

    868f310834ce007466fd48340f419beee04afef691e904a021dbc88b9e838466055901dd1fc46bff26c24d30d7c17f37d69a84d7738e23267655449ed98fa43c

    Download Submit

  • memory/2072-117-0x0000000000700000-0x0000000000B28000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2072-122-0x0000000005410000-0x000000000590E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2072-123-0x0000000004FF0000-0x0000000005082000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2072-124-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2072-125-0x00000000051A0000-0x00000000051B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2072-126-0x00000000051A0000-0x00000000051B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2072-127-0x00000000051A0000-0x00000000051B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2072-128-0x00000000051A0000-0x00000000051B0000-memory.dmp

    Filesize

    64KB

    Download