f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980

General

Target

f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe
Size

4.2MB
MD5

9e7e95187b24e39e73625a7fb2b70440
SHA1

9a3cfd29be16528b61d0b7d0b1207b0aaaffe967
SHA256

f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980
SHA512

654c1b256fae4b7286be199032d3df45a4e644f22fbff1d3cf0304ad95e80f573143176d268ea49d7f9b36d22e171962776333b4feff25390cc1cb8fcf255b2c
SSDEEP

98304:mEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthA:mRG4sskf38s7MjJeVYT69id+VbaMM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3136	OracleMicrosoft-type8.0.9.7.exe
3060	OracleMicrosoft-type8.0.9.7.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2940	icacls.exe
3728	icacls.exe
1076	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4188	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67
PID 2268 wrote to memory of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67
PID 2268 wrote to memory of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67
PID 2268 wrote to memory of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67
PID 2268 wrote to memory of 2828	2268	f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe	67
PID 2828 wrote to memory of 2940	2828	AppLaunch.exe	68
PID 2828 wrote to memory of 2940	2828	AppLaunch.exe	68
PID 2828 wrote to memory of 2940	2828	AppLaunch.exe	68
PID 2828 wrote to memory of 3728	2828	AppLaunch.exe	70
PID 2828 wrote to memory of 3728	2828	AppLaunch.exe	70
PID 2828 wrote to memory of 3728	2828	AppLaunch.exe	70
PID 2828 wrote to memory of 1076	2828	AppLaunch.exe	72
PID 2828 wrote to memory of 1076	2828	AppLaunch.exe	72
PID 2828 wrote to memory of 1076	2828	AppLaunch.exe	72
PID 2828 wrote to memory of 4188	2828	AppLaunch.exe	76
PID 2828 wrote to memory of 4188	2828	AppLaunch.exe	76
PID 2828 wrote to memory of 4188	2828	AppLaunch.exe	76
PID 2828 wrote to memory of 3136	2828	AppLaunch.exe	75
PID 2828 wrote to memory of 3136	2828	AppLaunch.exe	75

C:\Users\Admin\AppData\Local\Temp\f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe
"C:\Users\Admin\AppData\Local\Temp\f554ae38ddb59ce3904deeaad5cda290f0e5257d09f16650cc76d88ffa979980.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleMicrosoft-type8.0.9.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2940
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleMicrosoft-type8.0.9.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3728
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleMicrosoft-type8.0.9.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1076
- - C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe
    "C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:3136
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7" /TR "C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4188

C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe
C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe
1⤵
- Executes dropped EXE
PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe

Filesize
764.9MB

MD5
3f5f0419b73d0a046546abdf371b3bc4

SHA1
75a7251755d57579038bb51e256c24d742147def

SHA256
d9a90d8f87c76ff854e6f4edbdf2d9663078ce6edda9629c76a36a0fa79b089e

SHA512
44a1756443dc782ec2a7685549fbde42375e51906da1b09d43fce1f2f6b5fccbc1e4d186cf3765776c70727a6558ebe4fa7c92577c15038eed05f1f2f3b39dac

Download Submit
C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe

Filesize
764.9MB

MD5
3f5f0419b73d0a046546abdf371b3bc4

SHA1
75a7251755d57579038bb51e256c24d742147def

SHA256
d9a90d8f87c76ff854e6f4edbdf2d9663078ce6edda9629c76a36a0fa79b089e

SHA512
44a1756443dc782ec2a7685549fbde42375e51906da1b09d43fce1f2f6b5fccbc1e4d186cf3765776c70727a6558ebe4fa7c92577c15038eed05f1f2f3b39dac

Download Submit
C:\ProgramData\OracleMicrosoft-type8.0.9.7\OracleMicrosoft-type8.0.9.7.exe

Filesize
328.9MB

MD5
98b90b48f6e8c9a73068c9d51213c423

SHA1
64899804fad1c73db34c68aa086b4cc1bef01385

SHA256
99489b46354570660be3f44aac2c1fb2b164c55267541cd7980a228ad29991e8

SHA512
64e903095545fcbead01280ffa47dfbd1b4802d775110919e4f9ebdd6848cc402f9f22e44cedbf61ff6660ce86c7bc72f3000b5a32ae1fb05a4d367cc9f9b839

Download Submit
memory/2828-122-0x0000000000B50000-0x0000000000F78000-memory.dmp

Filesize
4.2MB

Download
memory/2828-129-0x0000000009220000-0x000000000971E000-memory.dmp

Filesize
5.0MB

Download
memory/2828-130-0x0000000008D20000-0x0000000008DB2000-memory.dmp

Filesize
584KB

Download
memory/2828-131-0x0000000006850000-0x000000000685A000-memory.dmp

Filesize
40KB

Download
memory/2828-132-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/2828-133-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/2828-135-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download
memory/2828-134-0x0000000008FB0000-0x0000000008FC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads