2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4

General

Target

2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe
Size

4.6MB
MD5

579e25195cff7b2081f1ee3613d1369b
SHA1

86fff0f91de6042f81c0eaa9f7ed678d51856e26
SHA256

2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4
SHA512

337c607e0d2ae47522d5456d96c4c718fbcc3900e5252b692f629a52853fa3cc6a6b38b8ee6e6a59df2b6e41364a1a5db0df106d8c5e1e1218e2869b74ccb0b7
SSDEEP

98304:avFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrJ:2FRPQzceZHOc3RxAwZGV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2156	OracleDesktop-type2.5.6.0.exe
3672	OracleDesktop-type2.5.6.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2512	icacls.exe
1568	icacls.exe
644	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4936	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87
PID 4676 wrote to memory of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87
PID 4676 wrote to memory of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87
PID 4676 wrote to memory of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87
PID 4676 wrote to memory of 2064	4676	2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe	87
PID 2064 wrote to memory of 1568	2064	AppLaunch.exe	92
PID 2064 wrote to memory of 1568	2064	AppLaunch.exe	92
PID 2064 wrote to memory of 1568	2064	AppLaunch.exe	92
PID 2064 wrote to memory of 644	2064	AppLaunch.exe	94
PID 2064 wrote to memory of 644	2064	AppLaunch.exe	94
PID 2064 wrote to memory of 644	2064	AppLaunch.exe	94
PID 2064 wrote to memory of 2512	2064	AppLaunch.exe	96
PID 2064 wrote to memory of 2512	2064	AppLaunch.exe	96
PID 2064 wrote to memory of 2512	2064	AppLaunch.exe	96
PID 2064 wrote to memory of 4936	2064	AppLaunch.exe	98
PID 2064 wrote to memory of 4936	2064	AppLaunch.exe	98
PID 2064 wrote to memory of 4936	2064	AppLaunch.exe	98
PID 2064 wrote to memory of 2156	2064	AppLaunch.exe	100
PID 2064 wrote to memory of 2156	2064	AppLaunch.exe	100

C:\Users\Admin\AppData\Local\Temp\2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe
"C:\Users\Admin\AppData\Local\Temp\2a89ba874324acc9947ba5013e8efd7c6f65e32fbc7c1b49d48e27b635fa2fd4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type2.5.6.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1568
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type2.5.6.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:644
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type2.5.6.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0" /TR "C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4936
- - C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe
    "C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Executes dropped EXE
    PID:2156

C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe
C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe
1⤵
- Executes dropped EXE
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe

Filesize
586.2MB

MD5
c4f5401ab13694baa83b8b4555432145

SHA1
8ffc59a0eec145abcdb819175b6e8d498b1edced

SHA256
aa6ae6be96581fcd3098871e19fc4893761713b485abab655e320f287dd88981

SHA512
6c3d7a3a69fe86565f43fb847665bceec01971ef14f0f5e86879b6d80f65cc53b2d10518bbfcd9e0d7b5d5d0f03eec691fd9131c43e50fdd87bd17af50ed8228

Download Submit
C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe

Filesize
581.2MB

MD5
cc0d91b996a3fa17f5447e75819600d2

SHA1
f29f9cc71f05cc91fd0d70d5c42a522faa1407d8

SHA256
7c882bcecc239647054011ac9791e47e87176fec558be41f41edf60744876d46

SHA512
780486313fde0fe212462b51276bef51b98b57cfa1552662951bc4465ae472d2ca8a63e2a0834f0b7905eb2381d5ad1d9fb27d3a505f5a4f15c2fb003c2561b8

Download Submit
C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe

Filesize
516.6MB

MD5
92a9b821f1afdaaf6093504d74315bdf

SHA1
dbf3fdb2f9c47ed20e565dc6fb1d33d83de77008

SHA256
e287975eb355495e26fb16b57b8646f6118b2ebb5212d9d96063a11db1e4147f

SHA512
c52062fd5c1222f53f163047e0685abda023aa8f15e83321184d4f1c3146f1680cdbc6d5b95715a906e3b0fbee268c85c54bfe8051c5e59637a9206df9e34e12

Download Submit
C:\ProgramData\OracleDesktop-type2.5.6.0\OracleDesktop-type2.5.6.0.exe

Filesize
433.8MB

MD5
22155de5a2f641b5bf3bf70b5cce5d93

SHA1
d5234ab26b4aec27ba5007f7e6e0eaec2c6e94cb

SHA256
1484f53b2bb0d4de1f1cba4b80cc7a20bc2af04754ccae4b895a1052ab538640

SHA512
69b7ddee564b1cf4900a9db4138e9aea654cfcf3c9f626a671d8ca4c6cf08b30c33ab88d5f178b2c66b9a57bbc1869ff81d885f74e30fcc41dad0029e0cc6d4d

Download Submit
memory/2064-134-0x0000000000400000-0x000000000088C000-memory.dmp

Filesize
4.5MB

Download
memory/2064-139-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/2064-140-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/2064-141-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/2064-142-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2064-143-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2064-144-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2064-145-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads