3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe
Size

7.7MB
MD5

2462e60f3297d545c5ed7e76ccb42ce3
SHA1

2fe9fcf87ce4c56257106affe08e7b0959de2be0
SHA256

3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c
SHA512

b2bfa7ff2f418b5b7ec1016af7e400c075c737aa040a42341f5f91288bc634cd33b1cdeb87b0770c64038012ae480f39ae15bbd8c1053b676f4a24769bba55c1
SSDEEP

98304:52caRVJt7QE+M0ydCvnySGijMKm8KYC4ScmBLvrkbo5DN1tZ:5U3l17C/VGMC4ShLvr0o5DN13

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1324	OracleDesktop-ver9.1.2.6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OracleDesktop-ver9.1.2.6 = "C:\\ProgramData\\OracleDesktop-ver9.1.2.6\\OracleDesktop-ver9.1.2.6.exe"	3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1324	3620	3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe	84
PID 3620 wrote to memory of 1324	3620	3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe	84

C:\Users\Admin\AppData\Local\Temp\3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe
"C:\Users\Admin\AppData\Local\Temp\3a01e2ecbaf1fbc211c3028a439c2a5cf1ce613452409a7a4f7ef18aaa9d0a0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620
- C:\ProgramData\OracleDesktop-ver9.1.2.6\OracleDesktop-ver9.1.2.6.exe
  C:\ProgramData\OracleDesktop-ver9.1.2.6\OracleDesktop-ver9.1.2.6.exe
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OracleDesktop-ver9.1.2.6\OracleDesktop-ver9.1.2.6.exe

Filesize
757.7MB

MD5
082a5f89b857d4aa91a8ded04476e6cd

SHA1
7bf265d8c93d5f2cd8baf5534f9accb33feb3c54

SHA256
aa0913fb17e32ad8bacdce152293f87bfbd783c868d5f112c5c1eafc851e96b4

SHA512
17e486b321d408f714f6b84388b1290de7037e7b2e7ee1e7f28627fc56fc79983ed22228d03f8c859545812fb46be6f8512c9343f029ba71e35f3e249c24eb54

Download Submit
C:\ProgramData\OracleDesktop-ver9.1.2.6\OracleDesktop-ver9.1.2.6.exe

Filesize
757.7MB

MD5
082a5f89b857d4aa91a8ded04476e6cd

SHA1
7bf265d8c93d5f2cd8baf5534f9accb33feb3c54

SHA256
aa0913fb17e32ad8bacdce152293f87bfbd783c868d5f112c5c1eafc851e96b4

SHA512
17e486b321d408f714f6b84388b1290de7037e7b2e7ee1e7f28627fc56fc79983ed22228d03f8c859545812fb46be6f8512c9343f029ba71e35f3e249c24eb54

Download Submit
memory/1324-141-0x00007FF6BC9A0000-0x00007FF6BD161000-memory.dmp

Filesize
7.8MB

Download
memory/3620-133-0x00007FF705FA0000-0x00007FF706761000-memory.dmp

Filesize
7.8MB

Download