Overview

overview

10

Static

static

evtrbz5n6um7j54g7.exe

windows7_x64

10

evtrbz5n6um7j54g7.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    evtrbz5n6um7j54g7.exe

  • Size

    1.4MB

  • MD5

    5de08824a170627fed763ecbcbf60290

  • SHA1

    57a2d4ff47c401e2619ba8626a8c91c6b34377b6

  • SHA256

    69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

  • SHA512

    08f3f322e12c7c5d51028254208fda2763d5029d4d4bfb10cc31b2712cc659c7ffdfe1665efae40f4b55639d80ba7ca47a16ddfbc437397b03d56f8c6e81277c

Score
10/10
azorultoskiraccoondiscoveryinfostealerransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.07.08 - 17:19:05 GMT Bot_ID: 3E009A64-65D7-465C-9098-F2673DD3F416_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: OWZMOTQA - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (727 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon log file 1 IoCs

    Detects a log file produced by the Raccoon Stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe
    "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
      "C:\Users\Admin\AppData\Local\Temp\HJnbva.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
        "C:\Users\Admin\AppData\Local\Temp\HJnbva.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Users\Admin\AppData\Local\Temp\rc.exe
          "C:\Users\Admin\AppData\Local\Temp\rc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\TapiUnattend.exe
            "C:\Windows\System32\TapiUnattend.exe"
            5⤵
              PID:3608
          • C:\Users\Admin\AppData\Local\Temp\ac.exe
            "C:\Users\Admin\AppData\Local\Temp\ac.exe"
            4⤵
            • Executes dropped EXE
            PID:1344
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KahrGgYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22EA.tmp"
              5⤵
              • Creates scheduled task(s)
              PID:3804
          • C:\Users\Admin\AppData\Local\Temp\ds1.exe
            "C:\Users\Admin\AppData\Local\Temp\ds1.exe"
            4⤵
            • Executes dropped EXE
            PID:1860
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1152
              5⤵
              • Program crash
              PID:700
          • C:\Users\Admin\AppData\Local\Temp\ds2.exe
            "C:\Users\Admin\AppData\Local\Temp\ds2.exe"
            4⤵
            • Executes dropped EXE
            PID:3688
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1144
              5⤵
              • Program crash
              PID:2488
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "HJnbva.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\SysWOW64\timeout.exe
              C:\Windows\system32\timeout.exe 3
              5⤵
              • Delays execution with timeout.exe
              PID:2712
      • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
        "C:\Users\Admin\AppData\Local\Temp\IOmsda.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
          "C:\Users\Admin\AppData\Local\Temp\IOmsda.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /pid 2128 & erase C:\Users\Admin\AppData\Local\Temp\IOmsda.exe & RD /S /Q C:\\ProgramData\\701895754257023\\* & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /pid 2128
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3536
      • C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe
        "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
        2⤵
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Users\Admin\AppData\Local\Temp\nsMLailNiH.exe
          "C:\Users\Admin\AppData\Local\Temp\nsMLailNiH.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\SysWOW64\TapiUnattend.exe
            "C:\Windows\System32\TapiUnattend.exe"
            4⤵
              PID:1608
          • C:\Users\Admin\AppData\Local\Temp\kA1gdj1bAN.exe
            "C:\Users\Admin\AppData\Local\Temp\kA1gdj1bAN.exe"
            3⤵
            • Executes dropped EXE
            PID:1180
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1144
              4⤵
              • Program crash
              PID:3888
          • C:\Users\Admin\AppData\Local\Temp\jGBzqvMVKp.exe
            "C:\Users\Admin\AppData\Local\Temp\jGBzqvMVKp.exe"
            3⤵
            • Executes dropped EXE
            PID:1552
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1136
              4⤵
              • Program crash
              PID:1612
          • C:\Users\Admin\AppData\Local\Temp\2Yd3RFR8fL.exe
            "C:\Users\Admin\AppData\Local\Temp\2Yd3RFR8fL.exe"
            3⤵
            • Executes dropped EXE
            PID:1364
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1144
              4⤵
              • Program crash
              PID:4076
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\SysWOW64\timeout.exe
              timeout /T 10 /NOBREAK
              4⤵
              • Delays execution with timeout.exe
              PID:3516

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_96CC490FC85792EAB20DD5F9AF554683
        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_9EE7133AC2D9989D5C3EFB320ED28F54
        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_96CC490FC85792EAB20DD5F9AF554683
        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_9EE7133AC2D9989D5C3EFB320ED28F54
        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V43BD2QR.cookie
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2Yd3RFR8fL.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2Yd3RFR8fL.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ac.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ac.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ds1.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ds1.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ds2.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ds2.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jGBzqvMVKp.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jGBzqvMVKp.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kA1gdj1bAN.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kA1gdj1bAN.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsMLailNiH.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsMLailNiH.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rc.exe
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rc.exe
        Download Submit

      • \ProgramData\mozglue.dll
        Download Submit

      • \ProgramData\nss3.dll
        MD5

        bfac4e3c5908856ba17d41edcd455a51

        SHA1

        8eec7e888767aa9e4cca8ff246eb2aacb9170428

        SHA256

        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

        SHA512

        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

        Download Submit

      • \ProgramData\sqlite3.dll
        Download Submit

      • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
        Download Submit

      • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
        Download Submit

      • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
        Download Submit

      • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
        MD5

        02cc7b8ee30056d5912de54f1bdfc219

        SHA1

        a6923da95705fb81e368ae48f93d28522ef552fb

        SHA256

        1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

        SHA512

        0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

        Download Submit

      • \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
        Download Submit

      • \Users\Admin\AppData\LocalLow\sqlite3.dll
        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\mozglue.dll
        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\msvcp140.dll
        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\nss3.dll
        MD5

        556ea09421a0f74d31c4c0a89a70dc23

        SHA1

        f739ba9b548ee64b13eb434a3130406d23f836e3

        SHA256

        f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

        SHA512

        2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\vcruntime140.dll
        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\vcruntime140.dll
        Download Submit

      • \Users\Admin\AppData\Local\Temp\EECE9D71\vcruntime140.dll
        Download Submit

      • memory/700-113-0x0000000000000000-mapping.dmp

        Download

      • memory/1180-49-0x0000000000000000-mapping.dmp

        Download

      • memory/1344-55-0x0000000000000000-mapping.dmp

        Download

      • memory/1364-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1440-2-0x0000000000000000-mapping.dmp

        Download

      • memory/1548-5-0x0000000000000000-mapping.dmp

        Download

      • memory/1552-57-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-86-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-98-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-100-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-92-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-106-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-115-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-90-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-88-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-96-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-104-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-102-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-109-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-84-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-118-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-82-0x0000000000000000-mapping.dmp

        Download

      • memory/1608-94-0x0000000000000000-mapping.dmp

        Download

      • memory/1612-110-0x0000000000000000-mapping.dmp

        Download

      • memory/1692-11-0x000000000043FA98-mapping.dmp

        Download

      • memory/1692-10-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1692-16-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1708-52-0x0000000000000000-mapping.dmp

        Download

      • memory/1860-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1880-15-0x000000000041A684-mapping.dmp

        Download

      • memory/1880-18-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1880-13-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2128-19-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2128-20-0x000000000040717B-mapping.dmp

        Download

      • memory/2128-22-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2268-64-0x0000000000000000-mapping.dmp

        Download

      • memory/2488-114-0x0000000000000000-mapping.dmp

        Download

      • memory/2712-74-0x0000000000000000-mapping.dmp

        Download

      • memory/3504-44-0x0000000000000000-mapping.dmp

        Download

      • memory/3516-71-0x0000000000000000-mapping.dmp

        Download

      • memory/3536-45-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-87-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-89-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-97-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-101-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-95-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-103-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-93-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-105-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-91-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-107-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-119-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-99-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-85-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-111-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-83-0x0000000000000000-mapping.dmp

        Download

      • memory/3608-116-0x0000000000000000-mapping.dmp

        Download

      • memory/3688-68-0x0000000000000000-mapping.dmp

        Download

      • memory/3792-46-0x0000000000000000-mapping.dmp

        Download

      • memory/3804-117-0x0000000000000000-mapping.dmp

        Download

      • memory/3872-72-0x0000000000000000-mapping.dmp

        Download

      • memory/3888-112-0x0000000000000000-mapping.dmp

        Download

      • memory/4076-108-0x0000000000000000-mapping.dmp

        Download