Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
11-04-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
asdf.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
asdf.exe
Resource
win10v2004-20220331-en
General
-
Target
asdf.exe
-
Size
868KB
-
MD5
f9af0046085177c4ae153bd1eacde3e8
-
SHA1
4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
-
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
-
SHA512
f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
Malware Config
Extracted
oski
pretorian.ug
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 4 IoCs
Processes:
Dbvsdfe.exedfgasdme.exeDbvsdfe.exedfgasdme.exepid process 2972 Dbvsdfe.exe 1288 dfgasdme.exe 920 Dbvsdfe.exe 3736 dfgasdme.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
asdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation asdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Dbvsdfe.exeasdf.exedfgasdme.exedescription pid process target process PID 2972 set thread context of 920 2972 Dbvsdfe.exe Dbvsdfe.exe PID 1600 set thread context of 216 1600 asdf.exe asdf.exe PID 1288 set thread context of 3736 1288 dfgasdme.exe dfgasdme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4292 920 WerFault.exe Dbvsdfe.exe 4500 216 WerFault.exe asdf.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Dbvsdfe.exeasdf.exedfgasdme.exepid process 2972 Dbvsdfe.exe 1600 asdf.exe 1288 dfgasdme.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
asdf.exeDbvsdfe.exedfgasdme.exepid process 1600 asdf.exe 2972 Dbvsdfe.exe 1288 dfgasdme.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
asdf.exeDbvsdfe.exedfgasdme.exedescription pid process target process PID 1600 wrote to memory of 2972 1600 asdf.exe Dbvsdfe.exe PID 1600 wrote to memory of 2972 1600 asdf.exe Dbvsdfe.exe PID 1600 wrote to memory of 2972 1600 asdf.exe Dbvsdfe.exe PID 1600 wrote to memory of 1288 1600 asdf.exe dfgasdme.exe PID 1600 wrote to memory of 1288 1600 asdf.exe dfgasdme.exe PID 1600 wrote to memory of 1288 1600 asdf.exe dfgasdme.exe PID 2972 wrote to memory of 920 2972 Dbvsdfe.exe Dbvsdfe.exe PID 2972 wrote to memory of 920 2972 Dbvsdfe.exe Dbvsdfe.exe PID 2972 wrote to memory of 920 2972 Dbvsdfe.exe Dbvsdfe.exe PID 2972 wrote to memory of 920 2972 Dbvsdfe.exe Dbvsdfe.exe PID 1600 wrote to memory of 216 1600 asdf.exe asdf.exe PID 1600 wrote to memory of 216 1600 asdf.exe asdf.exe PID 1600 wrote to memory of 216 1600 asdf.exe asdf.exe PID 1600 wrote to memory of 216 1600 asdf.exe asdf.exe PID 1288 wrote to memory of 3736 1288 dfgasdme.exe dfgasdme.exe PID 1288 wrote to memory of 3736 1288 dfgasdme.exe dfgasdme.exe PID 1288 wrote to memory of 3736 1288 dfgasdme.exe dfgasdme.exe PID 1288 wrote to memory of 3736 1288 dfgasdme.exe dfgasdme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 13444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 12043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 9201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 216 -ip 2161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
memory/216-139-0x0000000000000000-mapping.dmp
-
memory/216-144-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/920-136-0x0000000000000000-mapping.dmp
-
memory/920-142-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1288-130-0x0000000000000000-mapping.dmp
-
memory/2972-138-0x0000000002090000-0x0000000002096000-memory.dmpFilesize
24KB
-
memory/2972-126-0x0000000000000000-mapping.dmp
-
memory/3736-140-0x0000000000000000-mapping.dmp
-
memory/3736-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB