Analysis
-
max time kernel
186s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:39
Static task
static1
Behavioral task
behavioral1
Sample
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
Resource
win10v2004-20220414-en
General
-
Target
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
-
Size
3.1MB
-
MD5
143d0f36308fd6d510f611f37b9f0cb8
-
SHA1
0ef800088a40ccea4126512037e7326594bbabb4
-
SHA256
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131
-
SHA512
9c628fd049dcd8e88b7433b16f2b59cf251ea1e384878aba2196ff0c97474bcfc03ab4f56cdccb11b141ede4950d3a40c4b5f945c3d1927ce7941d5277a2f9b9
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
180d3985eb74eacf2de83c771fbf30a60f670ec0
-
url4cnc
https://telete.in/jrikitiki
Extracted
oski
levitt.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2952-152-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
Processes:
KfdbwPiovb.exeKfdbsPioqb.exeKfdbsPioqb.exeKfdbwPiovb.exepid process 4540 KfdbwPiovb.exe 4796 KfdbsPioqb.exe 3984 KfdbsPioqb.exe 2360 KfdbwPiovb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbsPioqb.exeKfdbwPiovb.exedescription pid process target process PID 3004 set thread context of 2952 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe PID 4796 set thread context of 3984 4796 KfdbsPioqb.exe KfdbsPioqb.exe PID 4540 set thread context of 2360 4540 KfdbwPiovb.exe KfdbwPiovb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3292 3984 WerFault.exe KfdbsPioqb.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbsPioqb.exeKfdbwPiovb.exepid process 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe 4796 KfdbsPioqb.exe 4540 KfdbwPiovb.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbwPiovb.exeKfdbsPioqb.exepid process 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe 4540 KfdbwPiovb.exe 4796 KfdbsPioqb.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbsPioqb.exeKfdbwPiovb.exedescription pid process target process PID 3004 wrote to memory of 4540 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbwPiovb.exe PID 3004 wrote to memory of 4540 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbwPiovb.exe PID 3004 wrote to memory of 4540 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbwPiovb.exe PID 3004 wrote to memory of 4796 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbsPioqb.exe PID 3004 wrote to memory of 4796 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbsPioqb.exe PID 3004 wrote to memory of 4796 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe KfdbsPioqb.exe PID 3004 wrote to memory of 2952 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe PID 3004 wrote to memory of 2952 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe PID 3004 wrote to memory of 2952 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe PID 4796 wrote to memory of 3984 4796 KfdbsPioqb.exe KfdbsPioqb.exe PID 4796 wrote to memory of 3984 4796 KfdbsPioqb.exe KfdbsPioqb.exe PID 4796 wrote to memory of 3984 4796 KfdbsPioqb.exe KfdbsPioqb.exe PID 3004 wrote to memory of 2952 3004 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe PID 4796 wrote to memory of 3984 4796 KfdbsPioqb.exe KfdbsPioqb.exe PID 4540 wrote to memory of 2360 4540 KfdbwPiovb.exe KfdbwPiovb.exe PID 4540 wrote to memory of 2360 4540 KfdbwPiovb.exe KfdbwPiovb.exe PID 4540 wrote to memory of 2360 4540 KfdbwPiovb.exe KfdbwPiovb.exe PID 4540 wrote to memory of 2360 4540 KfdbwPiovb.exe KfdbwPiovb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 13124⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3984 -ip 39841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exeFilesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exeFilesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exeFilesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exeFilesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exeFilesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exeFilesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
memory/2360-148-0x0000000000000000-mapping.dmp
-
memory/2360-151-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2952-145-0x0000000000000000-mapping.dmp
-
memory/2952-152-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/3004-142-0x0000000003910000-0x0000000003916000-memory.dmpFilesize
24KB
-
memory/3984-146-0x0000000000000000-mapping.dmp
-
memory/3984-150-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4540-143-0x00000000006A0000-0x00000000006A6000-memory.dmpFilesize
24KB
-
memory/4540-132-0x0000000000000000-mapping.dmp
-
memory/4796-144-0x0000000002070000-0x0000000002078000-memory.dmpFilesize
32KB
-
memory/4796-136-0x0000000000000000-mapping.dmp