Overview

overview

10

Static

static

evtrbz5n6um7j54g7.exe

windows7_x64

10

evtrbz5n6um7j54g7.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    evtrbz5n6um7j54g7.exe

  • Size

    1.4MB

  • MD5

    5de08824a170627fed763ecbcbf60290

  • SHA1

    57a2d4ff47c401e2619ba8626a8c91c6b34377b6

  • SHA256

    69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

  • SHA512

    08f3f322e12c7c5d51028254208fda2763d5029d4d4bfb10cc31b2712cc659c7ffdfe1665efae40f4b55639d80ba7ca47a16ddfbc437397b03d56f8c6e81277c

Score
10/10
azorultoskiraccoondiscoveryevasioninfostealerransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note
[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.07.08 - 17:19:53 GMT Bot_ID: 3E009A64-65D7-465C-9098-F2673DD3F416_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: OWZMOTQA - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (695 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon log file 1 IoCs

    Detects a log file produced by the Raccoon Stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe
    "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
      "C:\Users\Admin\AppData\Local\Temp\HJnbva.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\HJnbva.exe
        "C:\Users\Admin\AppData\Local\Temp\HJnbva.exe"
        3⤵
        • Executes dropped EXE
        PID:1016
    • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
      "C:\Users\Admin\AppData\Local\Temp\IOmsda.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Local\Temp\IOmsda.exe
        "C:\Users\Admin\AppData\Local\Temp\IOmsda.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /pid 3956 & erase C:\Users\Admin\AppData\Local\Temp\IOmsda.exe & RD /S /Q C:\\ProgramData\\228750629465680\\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /pid 3956
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:664
    • C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe
      "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
      2⤵
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\6szqoNQkJU.exe
        "C:\Users\Admin\AppData\Local\Temp\6szqoNQkJU.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3832
        • C:\Windows\SysWOW64\TapiUnattend.exe
          "C:\Windows\System32\TapiUnattend.exe"
          4⤵
            PID:3888
        • C:\Users\Admin\AppData\Local\Temp\ayEfG1mF0D.exe
          "C:\Users\Admin\AppData\Local\Temp\ayEfG1mF0D.exe"
          3⤵
          • Executes dropped EXE
          PID:3820
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1136
            4⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            PID:352
        • C:\Users\Admin\AppData\Local\Temp\pMcxbziCBw.exe
          "C:\Users\Admin\AppData\Local\Temp\pMcxbziCBw.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:2856
          • C:\Users\Admin\AppData\Local\Temp\pMcxbziCBw.exe
            "{path}"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3592
            • \??\c:\windows\SysWOW64\cmstp.exe
              "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\uknv4j2j.inf
              5⤵
                PID:2288
          • C:\Users\Admin\AppData\Local\Temp\oab9exiVqG.exe
            "C:\Users\Admin\AppData\Local\Temp\oab9exiVqG.exe"
            3⤵
            • Executes dropped EXE
            PID:2644
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1136
              4⤵
              • Program crash
              • Suspicious use of AdjustPrivilegeToken
              PID:1128
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\evtrbz5n6um7j54g7.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\SysWOW64\timeout.exe
              timeout /T 10 /NOBREAK
              4⤵
              • Delays execution with timeout.exe
              PID:2860
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        1⤵
          PID:1044
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c start C:\Windows\temp\yygp3zyv.exe
            2⤵
              PID:1080
              • C:\Windows\temp\yygp3zyv.exe
                C:\Windows\temp\yygp3zyv.exe
                3⤵
                • Executes dropped EXE
                PID:4112
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  4⤵
                    PID:4164
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /IM cmstp.exe /F
                2⤵
                • Kills process with taskkill
                PID:4232

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/352-104-0x0000000004890000-0x0000000004891000-memory.dmp

              Filesize

              4KB

              Download

            • memory/352-135-0x0000000005050000-0x0000000005051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1016-12-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1016-18-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/1128-108-0x0000000004700000-0x0000000004701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1128-105-0x0000000004700000-0x0000000004701000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1128-136-0x0000000004A00000-0x0000000004A01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2288-118-0x0000000004DB0000-0x0000000004EB1000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2900-17-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

              Download

            • memory/2900-10-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

              Download

            • memory/3592-88-0x0000000000400000-0x000000000040C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3956-19-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3956-22-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download