Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 23:13
Static task
static1
Behavioral task
behavioral1
Sample
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
Resource
win10v2004-20220414-en
General
-
Target
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
-
Size
1.8MB
-
MD5
92821d6dd83105f5f2d08c43f28fa309
-
SHA1
93c72e2494705509b56ca93cea2448aff098cb6d
-
SHA256
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8
-
SHA512
47c3a27b5a9fa6273d779ed8afffeb2bbbecab6420708f0ca36629932e1d910e06297839ca39ec01fe7e975a52ed12aaa0e781f5112870e1b7621722e1808c08
Malware Config
Extracted
raccoon
cf43f57ef5d1c064538f5f9d27891dc66c96dad8
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
nadia.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4452-147-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
Processes:
FVjhgtresfdbv.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exepid process 2272 FVjhgtresfdbv.exe 4728 NHtrdsaghfDF.exe 1200 FVjhgtresfdbv.exe 4440 NHtrdsaghfDF.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exedescription pid process target process PID 4604 set thread context of 4452 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe PID 2272 set thread context of 1200 2272 FVjhgtresfdbv.exe FVjhgtresfdbv.exe PID 4728 set thread context of 4440 4728 NHtrdsaghfDF.exe NHtrdsaghfDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2960 1200 WerFault.exe FVjhgtresfdbv.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exepid process 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe 2272 FVjhgtresfdbv.exe 4728 NHtrdsaghfDF.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exepid process 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe 2272 FVjhgtresfdbv.exe 4728 NHtrdsaghfDF.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exedescription pid process target process PID 4604 wrote to memory of 2272 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe FVjhgtresfdbv.exe PID 4604 wrote to memory of 2272 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe FVjhgtresfdbv.exe PID 4604 wrote to memory of 2272 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe FVjhgtresfdbv.exe PID 4604 wrote to memory of 4728 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe NHtrdsaghfDF.exe PID 4604 wrote to memory of 4728 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe NHtrdsaghfDF.exe PID 4604 wrote to memory of 4728 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe NHtrdsaghfDF.exe PID 4604 wrote to memory of 4452 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe PID 4604 wrote to memory of 4452 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe PID 4604 wrote to memory of 4452 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe PID 2272 wrote to memory of 1200 2272 FVjhgtresfdbv.exe FVjhgtresfdbv.exe PID 2272 wrote to memory of 1200 2272 FVjhgtresfdbv.exe FVjhgtresfdbv.exe PID 2272 wrote to memory of 1200 2272 FVjhgtresfdbv.exe FVjhgtresfdbv.exe PID 4604 wrote to memory of 4452 4604 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe PID 2272 wrote to memory of 1200 2272 FVjhgtresfdbv.exe FVjhgtresfdbv.exe PID 4728 wrote to memory of 4440 4728 NHtrdsaghfDF.exe NHtrdsaghfDF.exe PID 4728 wrote to memory of 4440 4728 NHtrdsaghfDF.exe NHtrdsaghfDF.exe PID 4728 wrote to memory of 4440 4728 NHtrdsaghfDF.exe NHtrdsaghfDF.exe PID 4728 wrote to memory of 4440 4728 NHtrdsaghfDF.exe NHtrdsaghfDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 13164⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1200 -ip 12001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exeFilesize
540KB
MD5385e5b97d97b89cacff3594eafeb0e5e
SHA170e73110860c36c83c504f4804e3cebde2a618a1
SHA2567b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3
SHA512f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83
-
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exeFilesize
540KB
MD5385e5b97d97b89cacff3594eafeb0e5e
SHA170e73110860c36c83c504f4804e3cebde2a618a1
SHA2567b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3
SHA512f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83
-
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exeFilesize
540KB
MD5385e5b97d97b89cacff3594eafeb0e5e
SHA170e73110860c36c83c504f4804e3cebde2a618a1
SHA2567b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3
SHA512f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83
-
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exeFilesize
492KB
MD535bccedd18360d94a33d86c09af8480c
SHA1013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0
SHA256ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f
SHA51231611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f
-
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exeFilesize
492KB
MD535bccedd18360d94a33d86c09af8480c
SHA1013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0
SHA256ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f
SHA51231611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f
-
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exeFilesize
492KB
MD535bccedd18360d94a33d86c09af8480c
SHA1013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0
SHA256ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f
SHA51231611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f
-
memory/1200-143-0x0000000000000000-mapping.dmp
-
memory/1200-149-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2272-132-0x0000000000000000-mapping.dmp
-
memory/4440-148-0x0000000000000000-mapping.dmp
-
memory/4440-151-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4452-142-0x0000000000000000-mapping.dmp
-
memory/4452-147-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/4604-145-0x0000000003760000-0x0000000003768000-memory.dmpFilesize
32KB
-
memory/4728-146-0x0000000002940000-0x0000000002948000-memory.dmpFilesize
32KB
-
memory/4728-135-0x0000000000000000-mapping.dmp