Analysis
-
max time kernel
69s -
max time network
83s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17/05/2023, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe
Resource
win10-20230220-en
General
-
Target
1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe
-
Size
4.7MB
-
MD5
e3e79c736912a275997270bded1585a6
-
SHA1
13f3da6dfdd80a55a1e9c4f8aded690a3ae63431
-
SHA256
1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f
-
SHA512
ec30dc8aed7cf97be0021a4f256da188f135ba077233d985f96dc0ca43ca34fa5233b84e61acaea30e6ce883863b9050c1b8e5f7a5c77469672cbb7b6b1b7187
-
SSDEEP
49152:WINaXXB60NmpJrYb0GXRBaQUVgOU5BsUY2CDX6WtD5nzQpy5HEFMUA:qBZ2r/2aiMki
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5088 DesktopOracle-ver6.0.4.9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run 1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopOracle-ver6.0.4.9 = "C:\\ProgramData\\DesktopOracle-ver6.0.4.9\\DesktopOracle-ver6.0.4.9.exe" 1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3780 wrote to memory of 5088 3780 1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe 66 PID 3780 wrote to memory of 5088 3780 1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe"C:\Users\Admin\AppData\Local\Temp\1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exeC:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exe2⤵
- Executes dropped EXE
PID:5088
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
754.7MB
MD5efa7a5ab0d7378fe0a5867b392cdca13
SHA1ab22484e67987c89df328ce062348c622ee3dd63
SHA256147f7f1bd3a8b5a5e9d0dde2f0e422d98488bea31670b7df645a4494f0dabe4b
SHA512998b5e8e13e8331232390fb91cde67d2650c35fe2c5ce819b5cd49d4bbeca2b5f481d60ed7c9a03717162262483fc6c7d36e89fa74429cdadeaa8e7f5d0245ba
-
Filesize
754.7MB
MD5efa7a5ab0d7378fe0a5867b392cdca13
SHA1ab22484e67987c89df328ce062348c622ee3dd63
SHA256147f7f1bd3a8b5a5e9d0dde2f0e422d98488bea31670b7df645a4494f0dabe4b
SHA512998b5e8e13e8331232390fb91cde67d2650c35fe2c5ce819b5cd49d4bbeca2b5f481d60ed7c9a03717162262483fc6c7d36e89fa74429cdadeaa8e7f5d0245ba