Analysis
-
max time kernel
15s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-12-2020 19:09
Static task
static1
Behavioral task
behavioral1
Sample
0ae0de96557c8b19cd5afe41809fcb77.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0ae0de96557c8b19cd5afe41809fcb77.exe
Resource
win10v20201028
General
-
Target
0ae0de96557c8b19cd5afe41809fcb77.exe
-
Size
1017KB
-
MD5
0ae0de96557c8b19cd5afe41809fcb77
-
SHA1
7103096815e873d2d232be82cbe0f947de1fd60b
-
SHA256
50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
-
SHA512
2e749b3f63a836156449c0adc9ab6cdd3755ec438432ca681f40b6e1cf66157a8ec813053b08c65540eaa9e09d211de5f562eaebdd4a7462696e1390fafaa9dd
Malware Config
Extracted
raccoon
e46b687ebd2ee58509e772fb3a53ac789365d90b
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
gfbrice.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 4 IoCs
Processes:
bgfhFcvb.exebngfDFrev.exebgfhFcvb.exebngfDFrev.exepid process 3328 bgfhFcvb.exe 4052 bngfDFrev.exe 1404 bgfhFcvb.exe 3612 bngfDFrev.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exepid process 2504 0ae0de96557c8b19cd5afe41809fcb77.exe 2504 0ae0de96557c8b19cd5afe41809fcb77.exe 1404 bgfhFcvb.exe 1404 bgfhFcvb.exe 3612 bngfDFrev.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exedescription pid process target process PID 984 set thread context of 2504 984 0ae0de96557c8b19cd5afe41809fcb77.exe 0ae0de96557c8b19cd5afe41809fcb77.exe PID 3328 set thread context of 1404 3328 bgfhFcvb.exe bgfhFcvb.exe PID 4052 set thread context of 3612 4052 bngfDFrev.exe bngfDFrev.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exepid process 984 0ae0de96557c8b19cd5afe41809fcb77.exe 3328 bgfhFcvb.exe 4052 bngfDFrev.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exepid process 984 0ae0de96557c8b19cd5afe41809fcb77.exe 3328 bgfhFcvb.exe 4052 bngfDFrev.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exedescription pid process target process PID 984 wrote to memory of 3328 984 0ae0de96557c8b19cd5afe41809fcb77.exe bgfhFcvb.exe PID 984 wrote to memory of 3328 984 0ae0de96557c8b19cd5afe41809fcb77.exe bgfhFcvb.exe PID 984 wrote to memory of 3328 984 0ae0de96557c8b19cd5afe41809fcb77.exe bgfhFcvb.exe PID 984 wrote to memory of 4052 984 0ae0de96557c8b19cd5afe41809fcb77.exe bngfDFrev.exe PID 984 wrote to memory of 4052 984 0ae0de96557c8b19cd5afe41809fcb77.exe bngfDFrev.exe PID 984 wrote to memory of 4052 984 0ae0de96557c8b19cd5afe41809fcb77.exe bngfDFrev.exe PID 984 wrote to memory of 2504 984 0ae0de96557c8b19cd5afe41809fcb77.exe 0ae0de96557c8b19cd5afe41809fcb77.exe PID 984 wrote to memory of 2504 984 0ae0de96557c8b19cd5afe41809fcb77.exe 0ae0de96557c8b19cd5afe41809fcb77.exe PID 984 wrote to memory of 2504 984 0ae0de96557c8b19cd5afe41809fcb77.exe 0ae0de96557c8b19cd5afe41809fcb77.exe PID 984 wrote to memory of 2504 984 0ae0de96557c8b19cd5afe41809fcb77.exe 0ae0de96557c8b19cd5afe41809fcb77.exe PID 3328 wrote to memory of 1404 3328 bgfhFcvb.exe bgfhFcvb.exe PID 3328 wrote to memory of 1404 3328 bgfhFcvb.exe bgfhFcvb.exe PID 3328 wrote to memory of 1404 3328 bgfhFcvb.exe bgfhFcvb.exe PID 3328 wrote to memory of 1404 3328 bgfhFcvb.exe bgfhFcvb.exe PID 4052 wrote to memory of 3612 4052 bngfDFrev.exe bngfDFrev.exe PID 4052 wrote to memory of 3612 4052 bngfDFrev.exe bngfDFrev.exe PID 4052 wrote to memory of 3612 4052 bngfDFrev.exe bngfDFrev.exe PID 4052 wrote to memory of 3612 4052 bngfDFrev.exe bngfDFrev.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exeMD5
034b19cb876079dbb221b6c7d22aabf5
SHA1f88c8b816cb35822fdca705ff3a5e092a48adbb7
SHA2566fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d
SHA512a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61
-
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exeMD5
034b19cb876079dbb221b6c7d22aabf5
SHA1f88c8b816cb35822fdca705ff3a5e092a48adbb7
SHA2566fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d
SHA512a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61
-
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exeMD5
034b19cb876079dbb221b6c7d22aabf5
SHA1f88c8b816cb35822fdca705ff3a5e092a48adbb7
SHA2566fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d
SHA512a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61
-
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exeMD5
dc201e0fdd90efdd50b7acd42f0a64f9
SHA1a1d216b54481a36636c50f1b14307e098da9a9b8
SHA256f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8
SHA512daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe
-
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exeMD5
dc201e0fdd90efdd50b7acd42f0a64f9
SHA1a1d216b54481a36636c50f1b14307e098da9a9b8
SHA256f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8
SHA512daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe
-
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exeMD5
dc201e0fdd90efdd50b7acd42f0a64f9
SHA1a1d216b54481a36636c50f1b14307e098da9a9b8
SHA256f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8
SHA512daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe
-
memory/1404-17-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1404-20-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1404-18-0x000000000041A684-mapping.dmp
-
memory/2504-15-0x000000000043FA56-mapping.dmp
-
memory/2504-16-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2504-14-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3328-4-0x0000000000000000-mapping.dmp
-
memory/3612-21-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3612-22-0x0000000000417A8B-mapping.dmp
-
memory/3612-24-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4052-8-0x0000000000000000-mapping.dmp