Overview

overview

7

Static

static

1

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

7

Analysis

  • max time kernel
    53s
  • max time network
    178s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-03-2023 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe

  • Size

    4.7MB

  • MD5

    e51f56cff8d20eabff2f5097e89617f0

  • SHA1

    bb44250f7c7b658e0b004d1a50e8311401047f74

  • SHA256

    e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792

  • SHA512

    a8db7f2e6ded80f4052d91083ff3ba5bb26af14cea16378cb840924792be42628b1770f0c977530383c8929c5fadb47c40a557012fb2aeeae53384f8c50ea7b3

  • SSDEEP

    98304:XrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4oo2:XFBMuOCTpDLaqiRYLv

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
    "C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
        PID:4656
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        2⤵
          PID:4384
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Windows\SysWOW64\icacls.exe
              "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
              4⤵
              • Modifies file permissions
              PID:4348
            • C:\Windows\SysWOW64\icacls.exe
              "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
              4⤵
              • Modifies file permissions
              PID:4308
            • C:\Windows\SysWOW64\icacls.exe
              "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"
              4⤵
              • Modifies file permissions
              PID:4280
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3" /TR "C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe" /SC MINUTE
              4⤵
              • Creates scheduled task(s)
              PID:2288
            • C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
              "C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Executes dropped EXE
              PID:4700
      • C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
        C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
        1⤵
        • Executes dropped EXE
        PID:4828

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
        Filesize

        690.6MB

        MD5

        d737da2c1344968c22bbd639a0c49553

        SHA1

        83de267e884f55842e7ebac6fbc7489e313c8d33

        SHA256

        ba9f33257b06c56d25290e3deeb179c1c99f732a2b41f67450752b7de84cd663

        SHA512

        7e6ed2b3ad882677b5e36cb60ed31c947bb4addd4286b5b119d60d63506558722cefcf120943aaf531b58177b6e89752a32cf7e4bcb3a7ffdcd87212a12a4f2d

        Download Submit

      • C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
        Filesize

        690.6MB

        MD5

        d737da2c1344968c22bbd639a0c49553

        SHA1

        83de267e884f55842e7ebac6fbc7489e313c8d33

        SHA256

        ba9f33257b06c56d25290e3deeb179c1c99f732a2b41f67450752b7de84cd663

        SHA512

        7e6ed2b3ad882677b5e36cb60ed31c947bb4addd4286b5b119d60d63506558722cefcf120943aaf531b58177b6e89752a32cf7e4bcb3a7ffdcd87212a12a4f2d

        Download Submit

      • C:\ProgramData\WindowsHolographicDevicesOracle-type3.1.0.3\WindowsHolographicDevicesOracle-type3.1.0.3.exe
        Filesize

        690.6MB

        MD5

        d737da2c1344968c22bbd639a0c49553

        SHA1

        83de267e884f55842e7ebac6fbc7489e313c8d33

        SHA256

        ba9f33257b06c56d25290e3deeb179c1c99f732a2b41f67450752b7de84cd663

        SHA512

        7e6ed2b3ad882677b5e36cb60ed31c947bb4addd4286b5b119d60d63506558722cefcf120943aaf531b58177b6e89752a32cf7e4bcb3a7ffdcd87212a12a4f2d

        Download Submit

      • memory/4400-117-0x0000000000400000-0x00000000008A3000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/4400-125-0x0000000000400000-0x00000000008A3000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/4428-127-0x0000000000400000-0x000000000088C000-memory.dmp

        Filesize

        4.5MB

        Download

      • memory/4428-134-0x0000000009AA0000-0x0000000009F9E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4428-135-0x0000000009640000-0x00000000096D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4428-136-0x0000000009600000-0x000000000960A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4428-137-0x0000000009870000-0x0000000009880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4428-138-0x0000000009870000-0x0000000009880000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4428-139-0x0000000009870000-0x0000000009880000-memory.dmp

        Filesize

        64KB

        Download