Analysis
-
max time kernel
157s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
Resource
win10v2004-20220414-en
General
-
Target
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
-
Size
1.4MB
-
MD5
01f6d86a3e0050cb116ad4f16f12a420
-
SHA1
1d970042bb5b4d6fe680c177c44529f6a7671c3c
-
SHA256
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53
-
SHA512
b6a33c16bd8786d84cca5bad32a6fe80698dae7d031207048d38fadc8962e011432c7cd9519353b821ef90ab91a59088b11ba72109ab20d234cc20bc28589939
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
aleaiasko.ug
Extracted
raccoon
180d3985eb74eacf2de83c771fbf30a60f670ec0
-
url4cnc
https://telete.in/jrikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2108-151-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
Processes:
Hfkvbscdium.exePothqncmajgF.exeHfkvbscdium.exePothqncmajgF.exepid process 444 Hfkvbscdium.exe 3600 PothqncmajgF.exe 2288 Hfkvbscdium.exe 3224 PothqncmajgF.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exedescription pid process target process PID 444 set thread context of 2288 444 Hfkvbscdium.exe Hfkvbscdium.exe PID 4312 set thread context of 2108 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PID 3600 set thread context of 3224 3600 PothqncmajgF.exe PothqncmajgF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1780 3224 WerFault.exe PothqncmajgF.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exepid process 444 Hfkvbscdium.exe 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe 3600 PothqncmajgF.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exepid process 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe 444 Hfkvbscdium.exe 3600 PothqncmajgF.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exedescription pid process target process PID 4312 wrote to memory of 444 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe Hfkvbscdium.exe PID 4312 wrote to memory of 444 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe Hfkvbscdium.exe PID 4312 wrote to memory of 444 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe Hfkvbscdium.exe PID 4312 wrote to memory of 3600 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PothqncmajgF.exe PID 4312 wrote to memory of 3600 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PothqncmajgF.exe PID 4312 wrote to memory of 3600 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PothqncmajgF.exe PID 444 wrote to memory of 2288 444 Hfkvbscdium.exe Hfkvbscdium.exe PID 444 wrote to memory of 2288 444 Hfkvbscdium.exe Hfkvbscdium.exe PID 444 wrote to memory of 2288 444 Hfkvbscdium.exe Hfkvbscdium.exe PID 444 wrote to memory of 2288 444 Hfkvbscdium.exe Hfkvbscdium.exe PID 4312 wrote to memory of 2108 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PID 4312 wrote to memory of 2108 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PID 4312 wrote to memory of 2108 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PID 4312 wrote to memory of 2108 4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe PID 3600 wrote to memory of 3224 3600 PothqncmajgF.exe PothqncmajgF.exe PID 3600 wrote to memory of 3224 3600 PothqncmajgF.exe PothqncmajgF.exe PID 3600 wrote to memory of 3224 3600 PothqncmajgF.exe PothqncmajgF.exe PID 3600 wrote to memory of 3224 3600 PothqncmajgF.exe PothqncmajgF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 13164⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3224 -ip 32241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exeFilesize
432KB
MD51e9d15d0e69d2ddaa1201eeb9859645e
SHA1d75e404d0a709d26781b0481a68e74218b4c4a5c
SHA256236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2
SHA5124682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b
-
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exeFilesize
432KB
MD51e9d15d0e69d2ddaa1201eeb9859645e
SHA1d75e404d0a709d26781b0481a68e74218b4c4a5c
SHA256236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2
SHA5124682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b
-
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exeFilesize
432KB
MD51e9d15d0e69d2ddaa1201eeb9859645e
SHA1d75e404d0a709d26781b0481a68e74218b4c4a5c
SHA256236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2
SHA5124682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b
-
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exeFilesize
480KB
MD57f572cad5b68d5b32e330aca579152ae
SHA1a4f3f75b11a059c491476c475721c37d65e7fe31
SHA256f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c
SHA5128f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55
-
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exeFilesize
480KB
MD57f572cad5b68d5b32e330aca579152ae
SHA1a4f3f75b11a059c491476c475721c37d65e7fe31
SHA256f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c
SHA5128f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55
-
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exeFilesize
480KB
MD57f572cad5b68d5b32e330aca579152ae
SHA1a4f3f75b11a059c491476c475721c37d65e7fe31
SHA256f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c
SHA5128f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55
-
memory/444-132-0x0000000000000000-mapping.dmp
-
memory/444-145-0x0000000000650000-0x0000000000656000-memory.dmpFilesize
24KB
-
memory/2108-144-0x0000000000000000-mapping.dmp
-
memory/2108-151-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2288-142-0x0000000000000000-mapping.dmp
-
memory/2288-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3224-148-0x0000000000000000-mapping.dmp
-
memory/3224-150-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3600-137-0x0000000000000000-mapping.dmp
-
memory/3600-146-0x0000000000640000-0x0000000000646000-memory.dmpFilesize
24KB