Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543.ps1
Resource
win10v2004-20220414-en
General
-
Target
79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543.ps1
-
Size
1.9MB
-
MD5
1fa8859a60ac751d2f902ba0ba4f7f8d
-
SHA1
71ecc132df74adf48989f6074d505120f3af7b60
-
SHA256
79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543
-
SHA512
3452de68d6022daa980f9f82f918107e6d7c28d8d8cf5bb96b66917485d9e6d702fe44f91bd2fa8fc09097201cf927bb2ab71482759bca59b2660fff7ce1e598
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
tomasisa.ug
Extracted
raccoon
089d42bf776aba2e6326c9c557e433da6c3501f4
-
url4cnc
https://telete.in/jrikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/344-158-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 6 IoCs
Processes:
zfou.exeJvdacbs.exePkdfshbas.exeJvdacbs.exePkdfshbas.exezfou.exepid process 2744 zfou.exe 4400 Jvdacbs.exe 836 Pkdfshbas.exe 4792 Jvdacbs.exe 4220 Pkdfshbas.exe 344 zfou.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zfou.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation zfou.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Jvdacbs.exePkdfshbas.exezfou.exedescription pid process target process PID 4400 set thread context of 4792 4400 Jvdacbs.exe Jvdacbs.exe PID 836 set thread context of 4220 836 Pkdfshbas.exe Pkdfshbas.exe PID 2744 set thread context of 344 2744 zfou.exe zfou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 4220 WerFault.exe Pkdfshbas.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 332 powershell.exe 332 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Jvdacbs.exePkdfshbas.exezfou.exepid process 4400 Jvdacbs.exe 836 Pkdfshbas.exe 2744 zfou.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 332 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
zfou.exeJvdacbs.exePkdfshbas.exepid process 2744 zfou.exe 4400 Jvdacbs.exe 836 Pkdfshbas.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
powershell.exezfou.exeJvdacbs.exePkdfshbas.exedescription pid process target process PID 332 wrote to memory of 2744 332 powershell.exe zfou.exe PID 332 wrote to memory of 2744 332 powershell.exe zfou.exe PID 332 wrote to memory of 2744 332 powershell.exe zfou.exe PID 2744 wrote to memory of 4400 2744 zfou.exe Jvdacbs.exe PID 2744 wrote to memory of 4400 2744 zfou.exe Jvdacbs.exe PID 2744 wrote to memory of 4400 2744 zfou.exe Jvdacbs.exe PID 2744 wrote to memory of 836 2744 zfou.exe Pkdfshbas.exe PID 2744 wrote to memory of 836 2744 zfou.exe Pkdfshbas.exe PID 2744 wrote to memory of 836 2744 zfou.exe Pkdfshbas.exe PID 4400 wrote to memory of 4792 4400 Jvdacbs.exe Jvdacbs.exe PID 4400 wrote to memory of 4792 4400 Jvdacbs.exe Jvdacbs.exe PID 4400 wrote to memory of 4792 4400 Jvdacbs.exe Jvdacbs.exe PID 4400 wrote to memory of 4792 4400 Jvdacbs.exe Jvdacbs.exe PID 836 wrote to memory of 4220 836 Pkdfshbas.exe Pkdfshbas.exe PID 836 wrote to memory of 4220 836 Pkdfshbas.exe Pkdfshbas.exe PID 836 wrote to memory of 4220 836 Pkdfshbas.exe Pkdfshbas.exe PID 836 wrote to memory of 4220 836 Pkdfshbas.exe Pkdfshbas.exe PID 2744 wrote to memory of 344 2744 zfou.exe zfou.exe PID 2744 wrote to memory of 344 2744 zfou.exe zfou.exe PID 2744 wrote to memory of 344 2744 zfou.exe zfou.exe PID 2744 wrote to memory of 344 2744 zfou.exe zfou.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\zfou.exe"C:\Users\Public\zfou.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 13125⤵
- Program crash
-
C:\Users\Public\zfou.exe"C:\Users\Public\zfou.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4220 -ip 42201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exeFilesize
380KB
MD562835e700428e242e2b3b9a4862504ad
SHA1fc5843c3348ae8507e15e5ccf26de32e8b4f9fee
SHA2563c5a48ddae13424e0a7658c6aa6000c6b7ab4973cbb1ec171f15857dbafa20ef
SHA5124ca0dbd01d4a0d942b9e45ba48fb91b50691353b58fe1eb9e23a2cb7af19dce4c17ef0c001e0472214acb8d524acdcff8b0ad7ec47c1b4156ca78d78f477c4ca
-
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exeFilesize
380KB
MD562835e700428e242e2b3b9a4862504ad
SHA1fc5843c3348ae8507e15e5ccf26de32e8b4f9fee
SHA2563c5a48ddae13424e0a7658c6aa6000c6b7ab4973cbb1ec171f15857dbafa20ef
SHA5124ca0dbd01d4a0d942b9e45ba48fb91b50691353b58fe1eb9e23a2cb7af19dce4c17ef0c001e0472214acb8d524acdcff8b0ad7ec47c1b4156ca78d78f477c4ca
-
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exeFilesize
380KB
MD562835e700428e242e2b3b9a4862504ad
SHA1fc5843c3348ae8507e15e5ccf26de32e8b4f9fee
SHA2563c5a48ddae13424e0a7658c6aa6000c6b7ab4973cbb1ec171f15857dbafa20ef
SHA5124ca0dbd01d4a0d942b9e45ba48fb91b50691353b58fe1eb9e23a2cb7af19dce4c17ef0c001e0472214acb8d524acdcff8b0ad7ec47c1b4156ca78d78f477c4ca
-
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exeFilesize
428KB
MD5ef0d6ae2da95b84e9571375e120c2af4
SHA17c6fb180c3d041780ee58a14528cdb035bac4d87
SHA25674c58a2deb846ff9f62fbc2a3e43884883251b459d772038a2d1539df7ff9c89
SHA512c2fc4430c175df18abf959e9e4a6d724ef4ad7a3542d3027de5bde7d445131f2f169a43bd3c91d79cfa9654244c3bcd38e6013006e3699ceebc7a45712e1f0c0
-
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exeFilesize
428KB
MD5ef0d6ae2da95b84e9571375e120c2af4
SHA17c6fb180c3d041780ee58a14528cdb035bac4d87
SHA25674c58a2deb846ff9f62fbc2a3e43884883251b459d772038a2d1539df7ff9c89
SHA512c2fc4430c175df18abf959e9e4a6d724ef4ad7a3542d3027de5bde7d445131f2f169a43bd3c91d79cfa9654244c3bcd38e6013006e3699ceebc7a45712e1f0c0
-
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exeFilesize
428KB
MD5ef0d6ae2da95b84e9571375e120c2af4
SHA17c6fb180c3d041780ee58a14528cdb035bac4d87
SHA25674c58a2deb846ff9f62fbc2a3e43884883251b459d772038a2d1539df7ff9c89
SHA512c2fc4430c175df18abf959e9e4a6d724ef4ad7a3542d3027de5bde7d445131f2f169a43bd3c91d79cfa9654244c3bcd38e6013006e3699ceebc7a45712e1f0c0
-
C:\Users\Public\zfou.exeFilesize
1.4MB
MD57afa1658a6f338122d355720b4864ed2
SHA1d2d6012eba6cea513f1d7b267b562b35b738d46e
SHA25638d0f6d2d2ccd86e63232e4c702202b167be54dd3c8e21d289f21f4d3775a1e5
SHA512a74585ff241320d340a8242d53ed58d853e25b85b3c5ccce0019c8fdcbc3e8df1b01eadd73ccf820bf193852b527702d4f2c95ddcbb0b6e1456d375e04839c2d
-
C:\Users\Public\zfou.exeFilesize
1.4MB
MD57afa1658a6f338122d355720b4864ed2
SHA1d2d6012eba6cea513f1d7b267b562b35b738d46e
SHA25638d0f6d2d2ccd86e63232e4c702202b167be54dd3c8e21d289f21f4d3775a1e5
SHA512a74585ff241320d340a8242d53ed58d853e25b85b3c5ccce0019c8fdcbc3e8df1b01eadd73ccf820bf193852b527702d4f2c95ddcbb0b6e1456d375e04839c2d
-
C:\Users\Public\zfou.exeFilesize
1.4MB
MD57afa1658a6f338122d355720b4864ed2
SHA1d2d6012eba6cea513f1d7b267b562b35b738d46e
SHA25638d0f6d2d2ccd86e63232e4c702202b167be54dd3c8e21d289f21f4d3775a1e5
SHA512a74585ff241320d340a8242d53ed58d853e25b85b3c5ccce0019c8fdcbc3e8df1b01eadd73ccf820bf193852b527702d4f2c95ddcbb0b6e1456d375e04839c2d
-
memory/332-131-0x000001ED033F0000-0x000001ED03412000-memory.dmpFilesize
136KB
-
memory/332-132-0x00007FFEACCE0000-0x00007FFEAD7A1000-memory.dmpFilesize
10.8MB
-
memory/344-158-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/344-156-0x0000000000000000-mapping.dmp
-
memory/836-142-0x0000000000000000-mapping.dmp
-
memory/2744-133-0x0000000000000000-mapping.dmp
-
memory/2744-154-0x0000000003650000-0x0000000003657000-memory.dmpFilesize
28KB
-
memory/4220-155-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4220-150-0x0000000000000000-mapping.dmp
-
memory/4400-138-0x0000000000000000-mapping.dmp
-
memory/4400-152-0x0000000000720000-0x0000000000727000-memory.dmpFilesize
28KB
-
memory/4792-153-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4792-147-0x0000000000000000-mapping.dmp