Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-05-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
Resource
win10v2004-20220414-en
General
-
Target
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
-
Size
1.0MB
-
MD5
1d14c938c3dc37a1e53ffa556b22d177
-
SHA1
d212b0d999e33da5994d3966e4bcbb369b1c7289
-
SHA256
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493
-
SHA512
816370cd07c7c04fd6a113c2ebb8fa878d7b4df186101e5bd337bc1f931c292d9d72c7cd6c2895c17be612c79d5ab5a56a848407a8072a25f2817f98c1bac176
Malware Config
Extracted
oski
courtneysdv.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
d58ee081e4d259676e5c18189c82f5356e64ec30
-
url4cnc
https://telete.in/brikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-150-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
Processes:
CVhffgrdDFbv.exezVhgfgjbnv.exeCVhffgrdDFbv.exezVhgfgjbnv.exepid process 2552 CVhffgrdDFbv.exe 3124 zVhgfgjbnv.exe 4044 CVhffgrdDFbv.exe 4888 zVhgfgjbnv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
CVhffgrdDFbv.exefccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exezVhgfgjbnv.exepid process 4044 CVhffgrdDFbv.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 4044 CVhffgrdDFbv.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exedescription pid process target process PID 4016 set thread context of 3628 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe PID 2552 set thread context of 4044 2552 CVhffgrdDFbv.exe CVhffgrdDFbv.exe PID 3124 set thread context of 4888 3124 zVhgfgjbnv.exe zVhgfgjbnv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4752 4888 WerFault.exe zVhgfgjbnv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exezVhgfgjbnv.exepid process 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 4888 zVhgfgjbnv.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 3628 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exepid process 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 2552 CVhffgrdDFbv.exe 3124 zVhgfgjbnv.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exepid process 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe 2552 CVhffgrdDFbv.exe 3124 zVhgfgjbnv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exedescription pid process target process PID 4016 wrote to memory of 2552 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe CVhffgrdDFbv.exe PID 4016 wrote to memory of 2552 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe CVhffgrdDFbv.exe PID 4016 wrote to memory of 2552 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe CVhffgrdDFbv.exe PID 4016 wrote to memory of 3124 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe zVhgfgjbnv.exe PID 4016 wrote to memory of 3124 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe zVhgfgjbnv.exe PID 4016 wrote to memory of 3124 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe zVhgfgjbnv.exe PID 4016 wrote to memory of 3628 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe PID 4016 wrote to memory of 3628 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe PID 4016 wrote to memory of 3628 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe PID 4016 wrote to memory of 3628 4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe PID 2552 wrote to memory of 4044 2552 CVhffgrdDFbv.exe CVhffgrdDFbv.exe PID 2552 wrote to memory of 4044 2552 CVhffgrdDFbv.exe CVhffgrdDFbv.exe PID 2552 wrote to memory of 4044 2552 CVhffgrdDFbv.exe CVhffgrdDFbv.exe PID 2552 wrote to memory of 4044 2552 CVhffgrdDFbv.exe CVhffgrdDFbv.exe PID 3124 wrote to memory of 4888 3124 zVhgfgjbnv.exe zVhgfgjbnv.exe PID 3124 wrote to memory of 4888 3124 zVhgfgjbnv.exe zVhgfgjbnv.exe PID 3124 wrote to memory of 4888 3124 zVhgfgjbnv.exe zVhgfgjbnv.exe PID 3124 wrote to memory of 4888 3124 zVhgfgjbnv.exe zVhgfgjbnv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 13044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4888 -ip 48881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exeFilesize
232KB
MD502a3dc4aeb09f2d0c48a47922bed2d73
SHA1ad59fb3b77bb02a2a38ddba31d617b17eeffb276
SHA2564a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57
SHA51222bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exeFilesize
232KB
MD502a3dc4aeb09f2d0c48a47922bed2d73
SHA1ad59fb3b77bb02a2a38ddba31d617b17eeffb276
SHA2564a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57
SHA51222bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exeFilesize
232KB
MD502a3dc4aeb09f2d0c48a47922bed2d73
SHA1ad59fb3b77bb02a2a38ddba31d617b17eeffb276
SHA2564a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57
SHA51222bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exeFilesize
276KB
MD53353c49b01e245c14103afb71443c724
SHA19d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97
SHA25629fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6
SHA512a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exeFilesize
276KB
MD53353c49b01e245c14103afb71443c724
SHA19d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97
SHA25629fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6
SHA512a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exeFilesize
276KB
MD53353c49b01e245c14103afb71443c724
SHA19d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97
SHA25629fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6
SHA512a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df
-
memory/2552-132-0x0000000000000000-mapping.dmp
-
memory/3124-136-0x0000000000000000-mapping.dmp
-
memory/3628-142-0x0000000000000000-mapping.dmp
-
memory/3628-150-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/4016-145-0x00000000035F0000-0x00000000035F7000-memory.dmpFilesize
28KB
-
memory/4044-143-0x0000000000000000-mapping.dmp
-
memory/4044-149-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4888-146-0x0000000000000000-mapping.dmp
-
memory/4888-148-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB