1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb

General

Target

1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe
Size

3.4MB
MD5

3bfd35829333ec3f1e4c89b67a05dc0b
SHA1

fcff0f19e1fbb0f5fadbf4507323a6ab80739904
SHA256

1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb
SHA512

e6e60128892f1d240055ce3106f75c2d8a46ec6b78fd5d55ae9ad2d49d61b6544fb1d9d71337f86c6c2a02fe75cbb2b745780665f35726d7c4ef917b5971426a
SSDEEP

49152:jr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo8:oKvfd94XayMT5sH9M0aS8o9uWyUhHyd

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

OracleDesktop-type9.8.8.0.exeOracleDesktop-type9.8.8.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OracleDesktop-type9.8.8.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OracleDesktop-type9.8.8.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OracleDesktop-type9.8.8.0.exeOracleDesktop-type9.8.8.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OracleDesktop-type9.8.8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OracleDesktop-type9.8.8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OracleDesktop-type9.8.8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OracleDesktop-type9.8.8.0.exe

Executes dropped EXE 2 IoCs

Processes:

OracleDesktop-type9.8.8.0.exeOracleDesktop-type9.8.8.0.exe

pid process

3544 OracleDesktop-type9.8.8.0.exe
3492 OracleDesktop-type9.8.8.0.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3700 icacls.exe
3196 icacls.exe
2096 icacls.exe

pid	process
3544	OracleDesktop-type9.8.8.0.exe
3492	OracleDesktop-type9.8.8.0.exe

pid	process
3700	icacls.exe
3196	icacls.exe
2096	icacls.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe	upx
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe	upx
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe	upx
behavioral1/memory/3544-153-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3544-155-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3544-156-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3544-157-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3544-158-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe	upx
behavioral1/memory/3492-160-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3492-162-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx
behavioral1/memory/3492-163-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

OracleDesktop-type9.8.8.0.exeOracleDesktop-type9.8.8.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OracleDesktop-type9.8.8.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OracleDesktop-type9.8.8.0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe

description	pid	process	target process
PID 3772 set thread context of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3736 schtasks.exe

pid	process
3736	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exeAppLaunch.exe

description	pid	process	target process
PID 3772 wrote to memory of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe
PID 3772 wrote to memory of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe
PID 3772 wrote to memory of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe
PID 3772 wrote to memory of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe
PID 3772 wrote to memory of 2196	3772	1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe	AppLaunch.exe
PID 2196 wrote to memory of 3700	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3700	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3700	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3196	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3196	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3196	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 2096	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 2096	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 2096	2196	AppLaunch.exe	icacls.exe
PID 2196 wrote to memory of 3736	2196	AppLaunch.exe	schtasks.exe
PID 2196 wrote to memory of 3736	2196	AppLaunch.exe	schtasks.exe
PID 2196 wrote to memory of 3736	2196	AppLaunch.exe	schtasks.exe
PID 2196 wrote to memory of 3544	2196	AppLaunch.exe	OracleDesktop-type9.8.8.0.exe
PID 2196 wrote to memory of 3544	2196	AppLaunch.exe	OracleDesktop-type9.8.8.0.exe

C:\Users\Admin\AppData\Local\Temp\1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe
"C:\Users\Admin\AppData\Local\Temp\1a0f8e75afc1d4031d4d4daece2f4ad0bdebd32b31f110a7d6c43e10b7d055eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type9.8.8.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:3700

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type9.8.8.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:3196

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleDesktop-type9.8.8.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0" /TR "C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:3736

C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
"C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3544

C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
Filesize
426.6MB

MD5
656db58632ee96ef0c625ad8ff20c167

SHA1
9944228d991dc6269c5b0b2c80294f07de092174

SHA256
eac8fe988bed130c0ff9afd5cb3c4fb28f0dd27236ce0db616348416966def46

SHA512
50a5802ef7c73e704478369f84f47347ff44e5331a55b532a2ffb29ee531d3067e70e54833a4733040b695976f2e664f5dcb7e3731cf0116002e1cdf18421aea

Download Submit
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
Filesize
443.7MB

MD5
5409b33c173e72e2084a02e280e47321

SHA1
7bd1bd83d5c6466ba7bd6b3c8eeecf6f11ad3a10

SHA256
308a9a2f9c62c21db3a049a43344b0e84d99ff5d7bc6346ece9c85b27ab16017

SHA512
9268f226d64258b8c1d9caf5e9bc220e42a89151e76facbcea987d723e71797c88f1e6a6ed715d05eabc0a0215b44b74e5752505dd4f954e5392d12fd2ac78fe

Download Submit
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
Filesize
412.5MB

MD5
aba6c9fdcdc0152b289613419273710d

SHA1
10024c12392ba4ef4cb8908c40ec668f024594aa

SHA256
f427ab39f924d4598041eeb310f58e1d9f149c2086cc5ca0e9419970db9fb9af

SHA512
6734b3a397bda3cbd8561dbddef2d27e5c6161b7fdb957bf427fa322117d833f946cafe6d2da0b81b2f38bf12a5e648f606f7085519ac48d5bc0e7fbaceaeeec

Download Submit
C:\ProgramData\OracleDesktop-type9.8.8.0\OracleDesktop-type9.8.8.0.exe
Filesize
366.1MB

MD5
1672ce730c042ad8f72b6edf8cae4479

SHA1
37708e9823dc2e199552b083f51db0beb850492a

SHA256
135d828ccb350ec09cc6b390a265552ba5cb1b4009eab9489d526015d54af0d6

SHA512
326e181bd2aba36fd39f411aa79666bdd77d0a3b6a544004571b52b6a68a2bbf3c428c0320c3b3bab027fe5dfbb6cae8e08b5967faf858999efa72ae391bba73

Download Submit
memory/2196-142-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2196-138-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/2196-143-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2196-144-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2196-141-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/2196-140-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2196-139-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/2196-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/3492-163-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3492-162-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3492-160-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3544-153-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3544-158-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3544-157-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3544-156-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download
memory/3544-155-0x00007FF6E7900000-0x00007FF6E7E1F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads