e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792

Analysis

max time kernel
65s
max time network
185s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
Size

4.7MB
MD5

e51f56cff8d20eabff2f5097e89617f0
SHA1

bb44250f7c7b658e0b004d1a50e8311401047f74
SHA256

e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792
SHA512

a8db7f2e6ded80f4052d91083ff3ba5bb26af14cea16378cb840924792be42628b1770f0c977530383c8929c5fadb47c40a557012fb2aeeae53384f8c50ea7b3
SSDEEP

98304:XrNDnifgPgjhcObmRCevTu6QDiU98WJONhZ9gsb0jJu/2vJYL4oo2:XFBMuOCTpDLaqiRYLv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4140	DesktopOracle-type1.4.3.0.exe
3528	DesktopOracle-type1.4.3.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1940	icacls.exe
2840	icacls.exe
3048	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 1568 set thread context of 4880	1568	AppLaunch.exe	70

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4440	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2100	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	67
PID 4600 wrote to memory of 2100	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	67
PID 4600 wrote to memory of 2100	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	67
PID 4600 wrote to memory of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 4600 wrote to memory of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 4600 wrote to memory of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 4600 wrote to memory of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 4600 wrote to memory of 1568	4600	e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe	68
PID 1568 wrote to memory of 4880	1568	AppLaunch.exe	70
PID 1568 wrote to memory of 4880	1568	AppLaunch.exe	70
PID 1568 wrote to memory of 4880	1568	AppLaunch.exe	70
PID 1568 wrote to memory of 4880	1568	AppLaunch.exe	70
PID 1568 wrote to memory of 4880	1568	AppLaunch.exe	70
PID 4880 wrote to memory of 1940	4880	AppLaunch.exe	71
PID 4880 wrote to memory of 1940	4880	AppLaunch.exe	71
PID 4880 wrote to memory of 1940	4880	AppLaunch.exe	71
PID 4880 wrote to memory of 2840	4880	AppLaunch.exe	73
PID 4880 wrote to memory of 2840	4880	AppLaunch.exe	73
PID 4880 wrote to memory of 2840	4880	AppLaunch.exe	73
PID 4880 wrote to memory of 3048	4880	AppLaunch.exe	75
PID 4880 wrote to memory of 3048	4880	AppLaunch.exe	75
PID 4880 wrote to memory of 3048	4880	AppLaunch.exe	75
PID 4880 wrote to memory of 4440	4880	AppLaunch.exe	77
PID 4880 wrote to memory of 4440	4880	AppLaunch.exe	77
PID 4880 wrote to memory of 4440	4880	AppLaunch.exe	77
PID 4880 wrote to memory of 4140	4880	AppLaunch.exe	79
PID 4880 wrote to memory of 4140	4880	AppLaunch.exe	79

C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe
"C:\Users\Admin\AppData\Local\Temp\e25a1050eba1d2800e12178ec056082cb84e4825dfab58c3a44a173b6f9c1792.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopOracle-type1.4.3.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:1940
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopOracle-type1.4.3.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:2840
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopOracle-type1.4.3.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:3048
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0" /TR "C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe" /SC MINUTE
      4⤵
      Creates scheduled task(s)
      PID:4440
  - - C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe
      "C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Executes dropped EXE
      PID:4140

C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe
C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe
1⤵
- Executes dropped EXE
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe

Filesize
677.1MB

MD5
b9c775876094273521e8920a3600966a

SHA1
26c236a32b1a4b0e251a7a43919eeda2ef52a947

SHA256
75dd34f976e8910a59e2049fdc90d55ee5536adc99748664372ba4631ddbec31

SHA512
bc0ee85c3caf81ab183e8bfea75ca3a8a7cf0935d6dcae8da50cb568bb8558fdea9307b03a3d220f49c9437d5b196f3c3469837e0201ddf096cacdb790c7894e

Download Submit
C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe

Filesize
677.1MB

MD5
b9c775876094273521e8920a3600966a

SHA1
26c236a32b1a4b0e251a7a43919eeda2ef52a947

SHA256
75dd34f976e8910a59e2049fdc90d55ee5536adc99748664372ba4631ddbec31

SHA512
bc0ee85c3caf81ab183e8bfea75ca3a8a7cf0935d6dcae8da50cb568bb8558fdea9307b03a3d220f49c9437d5b196f3c3469837e0201ddf096cacdb790c7894e

Download Submit
C:\ProgramData\DesktopOracle-type1.4.3.0\DesktopOracle-type1.4.3.0.exe

Filesize
677.1MB

MD5
b9c775876094273521e8920a3600966a

SHA1
26c236a32b1a4b0e251a7a43919eeda2ef52a947

SHA256
75dd34f976e8910a59e2049fdc90d55ee5536adc99748664372ba4631ddbec31

SHA512
bc0ee85c3caf81ab183e8bfea75ca3a8a7cf0935d6dcae8da50cb568bb8558fdea9307b03a3d220f49c9437d5b196f3c3469837e0201ddf096cacdb790c7894e

Download Submit
memory/1568-120-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/1568-128-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/4880-130-0x0000000004C00000-0x000000000508C000-memory.dmp

Filesize
4.5MB

Download
memory/4880-137-0x0000000009330000-0x000000000982E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-138-0x0000000008ED0000-0x0000000008F62000-memory.dmp

Filesize
584KB

Download
memory/4880-139-0x0000000008E40000-0x0000000008E4A000-memory.dmp

Filesize
40KB

Download
memory/4880-140-0x0000000008E80000-0x0000000008E90000-memory.dmp

Filesize
64KB

Download
memory/4880-141-0x0000000008E80000-0x0000000008E90000-memory.dmp

Filesize
64KB

Download
memory/4880-142-0x0000000008E80000-0x0000000008E90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads