Overview

overview

10

Static

static

dc3171271a...e8.exe

windows7_x64

10

dc3171271a...e8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe

  • Size

    1.8MB

  • MD5

    92821d6dd83105f5f2d08c43f28fa309

  • SHA1

    93c72e2494705509b56ca93cea2448aff098cb6d

  • SHA256

    dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8

  • SHA512

    47c3a27b5a9fa6273d779ed8afffeb2bbbecab6420708f0ca36629932e1d910e06297839ca39ec01fe7e975a52ed12aaa0e781f5112870e1b7621722e1808c08

Score
10/10
azorultoskiraccooncf43f57ef5d1c064538f5f9d27891dc66c96dad8infostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

cf43f57ef5d1c064538f5f9d27891dc66c96dad8

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

nadia.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
    "C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
      "C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
        "C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
        3⤵
        • Executes dropped EXE
        PID:1200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1316
          4⤵
          • Program crash
          PID:2960
    • C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
      "C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
        "C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
        3⤵
        • Executes dropped EXE
        PID:4440
    • C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
      "C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"
      2⤵
        PID:4452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1200 -ip 1200
      1⤵
        PID:820

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
        Filesize

        540KB

        MD5

        385e5b97d97b89cacff3594eafeb0e5e

        SHA1

        70e73110860c36c83c504f4804e3cebde2a618a1

        SHA256

        7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

        SHA512

        f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
        Filesize

        540KB

        MD5

        385e5b97d97b89cacff3594eafeb0e5e

        SHA1

        70e73110860c36c83c504f4804e3cebde2a618a1

        SHA256

        7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

        SHA512

        f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
        Filesize

        540KB

        MD5

        385e5b97d97b89cacff3594eafeb0e5e

        SHA1

        70e73110860c36c83c504f4804e3cebde2a618a1

        SHA256

        7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

        SHA512

        f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
        Filesize

        492KB

        MD5

        35bccedd18360d94a33d86c09af8480c

        SHA1

        013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

        SHA256

        ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

        SHA512

        31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
        Filesize

        492KB

        MD5

        35bccedd18360d94a33d86c09af8480c

        SHA1

        013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

        SHA256

        ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

        SHA512

        31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
        Filesize

        492KB

        MD5

        35bccedd18360d94a33d86c09af8480c

        SHA1

        013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

        SHA256

        ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

        SHA512

        31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

        Download Submit
      • memory/1200-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1200-149-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2272-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4440-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4440-151-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4452-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4452-147-0x0000000000400000-0x0000000000493000-memory.dmp
        Filesize

        588KB

        Download
      • memory/4604-145-0x0000000003760000-0x0000000003768000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4728-146-0x0000000002940000-0x0000000002948000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4728-135-0x0000000000000000-mapping.dmp
        Download