a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932

Analysis

max time kernel
109s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe
Size

7.0MB
MD5

f420c1c9bff54eaef7806384c3a323bf
SHA1

414231deeaff7644b3e47dc45bf8e9428996afc9
SHA256

a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932
SHA512

628f8b9aed7de8b352623894a61f229bbb85948cd1e53279c093645b0f6f87aa434e6a7d99074ea314d5d79de846d7166e18d2ca6fc9d090a8b1ae3004038e32
SSDEEP

98304:dE2ekK2RGHX68ibmfOVcuI3czHjlxkEZsLcb++p3HW+npxYjxI7Fq:7QIG3+sOVlzDnRM+R2mxsxU

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OracleAdobe-2KM0.6.8.4.exe

pid process

3376 OracleAdobe-2KM0.6.8.4.exe

pid	process
3376	OracleAdobe-2KM0.6.8.4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OracleAdobe-2KM0.6.8.4 = "C:\\ProgramData\\OracleAdobe-2KM0.6.8.4\\OracleAdobe-2KM0.6.8.4.exe"	a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe

description	pid	process	target process
PID 1176 wrote to memory of 3376	1176	a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe	OracleAdobe-2KM0.6.8.4.exe
PID 1176 wrote to memory of 3376	1176	a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe	OracleAdobe-2KM0.6.8.4.exe

C:\Users\Admin\AppData\Local\Temp\a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe
"C:\Users\Admin\AppData\Local\Temp\a5050731b7b67eed2776b246b06690ba62372547ea9ee304abb21494302c5932.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\ProgramData\OracleAdobe-2KM0.6.8.4\OracleAdobe-2KM0.6.8.4.exe
C:\ProgramData\OracleAdobe-2KM0.6.8.4\OracleAdobe-2KM0.6.8.4.exe
2⤵
- Executes dropped EXE
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OracleAdobe-2KM0.6.8.4\OracleAdobe-2KM0.6.8.4.exe
Filesize
757.0MB

MD5
672446fe3d27e8e5d35578c699dd4023

SHA1
508c8a4d9ad8e5241adc3f8160db7ae5217260dc

SHA256
e5d3b63b4bdb31257796117143aefebe30bad36f2d7596c97cfe5f8a9715f4d9

SHA512
a01dfd642dc37b6a6a2fc777b61773c6e44cf7186d571e328ba7a743f7f361781e899a25df263c350026076c7d7529e5ad64a9eb03324db6cd46d4335b631e19

Download Submit
C:\ProgramData\OracleAdobe-2KM0.6.8.4\OracleAdobe-2KM0.6.8.4.exe
Filesize
757.0MB

MD5
672446fe3d27e8e5d35578c699dd4023

SHA1
508c8a4d9ad8e5241adc3f8160db7ae5217260dc

SHA256
e5d3b63b4bdb31257796117143aefebe30bad36f2d7596c97cfe5f8a9715f4d9

SHA512
a01dfd642dc37b6a6a2fc777b61773c6e44cf7186d571e328ba7a743f7f361781e899a25df263c350026076c7d7529e5ad64a9eb03324db6cd46d4335b631e19

Download Submit
memory/1176-133-0x00007FF7FE7A0000-0x00007FF7FEEA0000-memory.dmp

Filesize
7.0MB

Download
memory/3376-138-0x00007FF728980000-0x00007FF729080000-memory.dmp

Filesize
7.0MB

Download