Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe
Resource
win10v2004-20220414-en
General
-
Target
0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe
-
Size
1.1MB
-
MD5
67fb804e2e006ac7fdb5ec617f43aa35
-
SHA1
6b82e6290ef6d0141f26acde06fa7e2096fb46b2
-
SHA256
0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a
-
SHA512
721ea1beda72977b30cef1a929bb371e9d3808ff01a0cbb7653329f8e9aa227385dd6971409f62d9029e9372ad4e03da96635b407786c42180992c837b583a7d
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
mantis.ug
Extracted
raccoon
180d3985eb74eacf2de83c771fbf30a60f670ec0
-
url4cnc
https://telete.in/jrikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
resource yara_rule behavioral1/memory/1700-87-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
pid Process 1980 Pvjkdebv.exe 1808 Pvjadebv.exe 1660 Pvjkdebv.exe 1096 Pvjadebv.exe -
Loads dropped DLL 11 IoCs
pid Process 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1980 Pvjkdebv.exe 1808 Pvjadebv.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1096 Pvjadebv.exe 1096 Pvjadebv.exe 1660 Pvjkdebv.exe 1660 Pvjkdebv.exe 1700 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1700 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1980 set thread context of 1660 1980 Pvjkdebv.exe 31 PID 1460 set thread context of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1808 set thread context of 1096 1808 Pvjadebv.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1332 1660 WerFault.exe 31 -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1980 Pvjkdebv.exe 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1808 Pvjadebv.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 1980 Pvjkdebv.exe 1808 Pvjadebv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1980 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 28 PID 1460 wrote to memory of 1980 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 28 PID 1460 wrote to memory of 1980 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 28 PID 1460 wrote to memory of 1980 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 28 PID 1460 wrote to memory of 1808 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 29 PID 1460 wrote to memory of 1808 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 29 PID 1460 wrote to memory of 1808 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 29 PID 1460 wrote to memory of 1808 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 29 PID 1980 wrote to memory of 1660 1980 Pvjkdebv.exe 31 PID 1980 wrote to memory of 1660 1980 Pvjkdebv.exe 31 PID 1980 wrote to memory of 1660 1980 Pvjkdebv.exe 31 PID 1980 wrote to memory of 1660 1980 Pvjkdebv.exe 31 PID 1980 wrote to memory of 1660 1980 Pvjkdebv.exe 31 PID 1460 wrote to memory of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1460 wrote to memory of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1460 wrote to memory of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1460 wrote to memory of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1460 wrote to memory of 1700 1460 0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe 30 PID 1808 wrote to memory of 1096 1808 Pvjadebv.exe 32 PID 1808 wrote to memory of 1096 1808 Pvjadebv.exe 32 PID 1808 wrote to memory of 1096 1808 Pvjadebv.exe 32 PID 1808 wrote to memory of 1096 1808 Pvjadebv.exe 32 PID 1808 wrote to memory of 1096 1808 Pvjadebv.exe 32 PID 1660 wrote to memory of 1332 1660 Pvjkdebv.exe 36 PID 1660 wrote to memory of 1332 1660 Pvjkdebv.exe 36 PID 1660 wrote to memory of 1332 1660 Pvjkdebv.exe 36 PID 1660 wrote to memory of 1332 1660 Pvjkdebv.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe"C:\Users\Admin\AppData\Local\Temp\0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\Pvjkdebv.exe"C:\Users\Admin\AppData\Local\Temp\Pvjkdebv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\Pvjkdebv.exe"C:\Users\Admin\AppData\Local\Temp\Pvjkdebv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 7724⤵
- Loads dropped DLL
- Program crash
PID:1332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Pvjadebv.exe"C:\Users\Admin\AppData\Local\Temp\Pvjadebv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\Pvjadebv.exe"C:\Users\Admin\AppData\Local\Temp\Pvjadebv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1096
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe"C:\Users\Admin\AppData\Local\Temp\0e84226430bd428b5dd2f9ceb5cddba56ad3f6606a0b7bf978484132d753aa9a.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1700
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
228KB
MD5b782496c71766cd400caa4ea48dbc939
SHA14c154e3c272948621f00d526aeb3804dc8515ace
SHA2569eb6fe1bd18fde5d7339719df4d2a86bb1aae1ef5940410f9be2dc2fdbbf61e0
SHA51249645abf1c159f2bc012a8621f6a4b1ce6d87954753014c3ee7625e50d533b80013f90d2bcb0e20c38f6991a7bc7e315133d7a3bb1f37b9a922623e70d55c518
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008
-
Filesize
272KB
MD51c57b1ffb059b7cd3a7cd64f8658eef0
SHA1e89a4d44e48ab1b80cc4386d10b7bde4467bcd4b
SHA2567f2fb08742f42d241cdb1936fc5f18a7ee05dd53a1500c9d9ebbd30e50e75699
SHA512ae1f0e59b3f355bdd1046721fe91a8d4bcf732baf097b5b65847b6e1ba731da910c540f84d51aed8d1286c539534c59f2368b8a32e1daa680a3d498e3aad4008