Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
11-04-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
asdfg.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
asdfg.exe
Resource
win10v2004-20220310-en
General
-
Target
asdfg.exe
-
Size
868KB
-
MD5
f9af0046085177c4ae153bd1eacde3e8
-
SHA1
4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
-
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
-
SHA512
f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Extracted
oski
pretorian.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 4 IoCs
Processes:
Dbvsdfe.exedfgasdme.exedfgasdme.exeDbvsdfe.exepid process 5004 Dbvsdfe.exe 4892 dfgasdme.exe 3756 dfgasdme.exe 2744 Dbvsdfe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
asdfg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation asdfg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
dfgasdme.exeasdfg.exeDbvsdfe.exedescription pid process target process PID 4892 set thread context of 3756 4892 dfgasdme.exe dfgasdme.exe PID 3080 set thread context of 4020 3080 asdfg.exe asdfg.exe PID 5004 set thread context of 2744 5004 Dbvsdfe.exe Dbvsdfe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3096 2744 WerFault.exe Dbvsdfe.exe 2760 4020 WerFault.exe asdfg.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
dfgasdme.exeasdfg.exeDbvsdfe.exepid process 4892 dfgasdme.exe 3080 asdfg.exe 5004 Dbvsdfe.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
asdfg.exeDbvsdfe.exedfgasdme.exepid process 3080 asdfg.exe 5004 Dbvsdfe.exe 4892 dfgasdme.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
asdfg.exedfgasdme.exeDbvsdfe.exedescription pid process target process PID 3080 wrote to memory of 5004 3080 asdfg.exe Dbvsdfe.exe PID 3080 wrote to memory of 5004 3080 asdfg.exe Dbvsdfe.exe PID 3080 wrote to memory of 5004 3080 asdfg.exe Dbvsdfe.exe PID 3080 wrote to memory of 4892 3080 asdfg.exe dfgasdme.exe PID 3080 wrote to memory of 4892 3080 asdfg.exe dfgasdme.exe PID 3080 wrote to memory of 4892 3080 asdfg.exe dfgasdme.exe PID 4892 wrote to memory of 3756 4892 dfgasdme.exe dfgasdme.exe PID 4892 wrote to memory of 3756 4892 dfgasdme.exe dfgasdme.exe PID 4892 wrote to memory of 3756 4892 dfgasdme.exe dfgasdme.exe PID 4892 wrote to memory of 3756 4892 dfgasdme.exe dfgasdme.exe PID 3080 wrote to memory of 4020 3080 asdfg.exe asdfg.exe PID 3080 wrote to memory of 4020 3080 asdfg.exe asdfg.exe PID 3080 wrote to memory of 4020 3080 asdfg.exe asdfg.exe PID 3080 wrote to memory of 4020 3080 asdfg.exe asdfg.exe PID 5004 wrote to memory of 2744 5004 Dbvsdfe.exe Dbvsdfe.exe PID 5004 wrote to memory of 2744 5004 Dbvsdfe.exe Dbvsdfe.exe PID 5004 wrote to memory of 2744 5004 Dbvsdfe.exe Dbvsdfe.exe PID 5004 wrote to memory of 2744 5004 Dbvsdfe.exe Dbvsdfe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\asdfg.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 13324⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\asdfg.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 5883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2744 -ip 27441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4020 -ip 40201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeFilesize
212KB
MD53466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeFilesize
164KB
MD5bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
memory/2744-154-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2744-151-0x0000000000000000-mapping.dmp
-
memory/3756-146-0x0000000000000000-mapping.dmp
-
memory/3756-150-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4020-148-0x0000000000000000-mapping.dmp
-
memory/4020-153-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/4892-140-0x0000000000000000-mapping.dmp
-
memory/4892-149-0x0000000002080000-0x0000000002086000-memory.dmpFilesize
24KB
-
memory/5004-136-0x0000000000000000-mapping.dmp