Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24/05/2022, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
Resource
win10v2004-20220414-en
General
-
Target
ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
-
Size
932KB
-
MD5
2a3b3da0fbdfbcc9fafcce4708954170
-
SHA1
13e48a6734e0d1f2275ad42ad5630ca22ca130c9
-
SHA256
ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20
-
SHA512
dae7c463ed3b01b23611470aae2d6125a428471f4b75dc2e390d1ef2bab5ba069b3775b97739627ce9c63be58d7e42f909bd6e7859fdb58e1b0dbd3b104dd3b9
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
levitt.ug
Extracted
raccoon
180d3985eb74eacf2de83c771fbf30a60f670ec0
-
url4cnc
https://telete.in/jrikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
resource yara_rule behavioral2/memory/3556-148-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
pid Process 4568 KdacfF.exe.exe 5104 OpacaF.exe 2040 KdacfF.exe.exe 3468 OpacaF.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3564 set thread context of 3556 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 47 PID 4568 set thread context of 2040 4568 KdacfF.exe.exe 49 PID 5104 set thread context of 3468 5104 OpacaF.exe 48 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2408 3468 WerFault.exe 48 -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 4568 KdacfF.exe.exe 5104 OpacaF.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 4568 KdacfF.exe.exe 5104 OpacaF.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3564 wrote to memory of 4568 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 46 PID 3564 wrote to memory of 4568 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 46 PID 3564 wrote to memory of 4568 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 46 PID 3564 wrote to memory of 5104 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 50 PID 3564 wrote to memory of 5104 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 50 PID 3564 wrote to memory of 5104 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 50 PID 3564 wrote to memory of 3556 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 47 PID 3564 wrote to memory of 3556 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 47 PID 3564 wrote to memory of 3556 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 47 PID 3564 wrote to memory of 3556 3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe 47 PID 4568 wrote to memory of 2040 4568 KdacfF.exe.exe 49 PID 4568 wrote to memory of 2040 4568 KdacfF.exe.exe 49 PID 4568 wrote to memory of 2040 4568 KdacfF.exe.exe 49 PID 4568 wrote to memory of 2040 4568 KdacfF.exe.exe 49 PID 5104 wrote to memory of 3468 5104 OpacaF.exe 48 PID 5104 wrote to memory of 3468 5104 OpacaF.exe 48 PID 5104 wrote to memory of 3468 5104 OpacaF.exe 48 PID 5104 wrote to memory of 3468 5104 OpacaF.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"3⤵
- Executes dropped EXE
PID:2040
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"2⤵PID:3556
-
-
C:\Users\Admin\AppData\Roaming\OpacaF.exe"C:\Users\Admin\AppData\Roaming\OpacaF.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
-
-
C:\Users\Admin\AppData\Roaming\OpacaF.exe"C:\Users\Admin\AppData\Roaming\OpacaF.exe"1⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 13402⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3468 -ip 34681⤵PID:2560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5bba648d5b17554cb4556f7f839914ef4
SHA1b042cb93b7629159000d1fbbd70d3536bda47d2b
SHA256da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788
SHA5124d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7
-
Filesize
204KB
MD5bba648d5b17554cb4556f7f839914ef4
SHA1b042cb93b7629159000d1fbbd70d3536bda47d2b
SHA256da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788
SHA5124d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7
-
Filesize
204KB
MD5bba648d5b17554cb4556f7f839914ef4
SHA1b042cb93b7629159000d1fbbd70d3536bda47d2b
SHA256da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788
SHA5124d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7
-
Filesize
248KB
MD58d6db869797db1841460c4ebd0806a84
SHA1860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054
SHA2566da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e
SHA512f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10
-
Filesize
248KB
MD58d6db869797db1841460c4ebd0806a84
SHA1860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054
SHA2566da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e
SHA512f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10
-
Filesize
248KB
MD58d6db869797db1841460c4ebd0806a84
SHA1860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054
SHA2566da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e
SHA512f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10