1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f

Analysis

max time kernel
69s
max time network
83s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/05/2023, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe
Size

4.7MB
MD5

e3e79c736912a275997270bded1585a6
SHA1

13f3da6dfdd80a55a1e9c4f8aded690a3ae63431
SHA256

1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f
SHA512

ec30dc8aed7cf97be0021a4f256da188f135ba077233d985f96dc0ca43ca34fa5233b84e61acaea30e6ce883863b9050c1b8e5f7a5c77469672cbb7b6b1b7187
SSDEEP

49152:WINaXXB60NmpJrYb0GXRBaQUVgOU5BsUY2CDX6WtD5nzQpy5HEFMUA:qBZ2r/2aiMki

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5088	DesktopOracle-ver6.0.4.9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopOracle-ver6.0.4.9 = "C:\\ProgramData\\DesktopOracle-ver6.0.4.9\\DesktopOracle-ver6.0.4.9.exe"	1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 5088	3780	1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe	66
PID 3780 wrote to memory of 5088	3780	1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe	66

C:\Users\Admin\AppData\Local\Temp\1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe
"C:\Users\Admin\AppData\Local\Temp\1028c5b6b0f137c2440d81b1b1896e5cac83c28ab726bfd4e9fbe777264b208f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3780
- C:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exe
  C:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exe
  2⤵
  - Executes dropped EXE
  PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exe

Filesize
754.7MB

MD5
efa7a5ab0d7378fe0a5867b392cdca13

SHA1
ab22484e67987c89df328ce062348c622ee3dd63

SHA256
147f7f1bd3a8b5a5e9d0dde2f0e422d98488bea31670b7df645a4494f0dabe4b

SHA512
998b5e8e13e8331232390fb91cde67d2650c35fe2c5ce819b5cd49d4bbeca2b5f481d60ed7c9a03717162262483fc6c7d36e89fa74429cdadeaa8e7f5d0245ba

Download Submit
C:\ProgramData\DesktopOracle-ver6.0.4.9\DesktopOracle-ver6.0.4.9.exe

Filesize
754.7MB

MD5
efa7a5ab0d7378fe0a5867b392cdca13

SHA1
ab22484e67987c89df328ce062348c622ee3dd63

SHA256
147f7f1bd3a8b5a5e9d0dde2f0e422d98488bea31670b7df645a4494f0dabe4b

SHA512
998b5e8e13e8331232390fb91cde67d2650c35fe2c5ce819b5cd49d4bbeca2b5f481d60ed7c9a03717162262483fc6c7d36e89fa74429cdadeaa8e7f5d0245ba

Download Submit