Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 05:48

General

  • Target

    0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe

  • Size

    1013KB

  • MD5

    20b4ed91510de8b2766a7b27b643a007

  • SHA1

    e52812e0a3a17a291f524bde23a7dea44339bbf3

  • SHA256

    0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a

  • SHA512

    bad5c56aeb9b57c7b4591f34f41a157fc60e5038eeef82aaaa297a267bfb6c69ad8d52a9b60142c502756f56829c8a44840c620e1191458135fbb5b319feed0f

  • SSDEEP

    24576:/axyj3UlpY02W9pNydU50sTmJf2fU+NAmAOLm+t:/ac3UoW9OGxTmJ6emACm+

Malware Config

Extracted

Family

raccoon

Version

1.7.1-hotfix

Botnet

1cc7ea34e0c2ffcad2b614bf34887c32c8a79609

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

darkangel.ac.ug

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Raccoon Stealer payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
    "C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
      "C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
        "C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
        3⤵
        • Executes dropped EXE
        PID:1160
    • C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
      "C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
        "C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
        3⤵
        • Executes dropped EXE
        PID:4364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1312
          4⤵
          • Program crash
          PID:2440
    • C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
      "C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
      2⤵
        PID:4708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4364 -ip 4364
      1⤵
        PID:2340

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Collection

      Data from Local System

      1
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
        Filesize

        213KB

        MD5

        a22b4c1514f696b13a2862aea769ba6a

        SHA1

        a554a8e63f5d05b880e416a9d0999d628d033f03

        SHA256

        fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

        SHA512

        fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

      • C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
        Filesize

        213KB

        MD5

        a22b4c1514f696b13a2862aea769ba6a

        SHA1

        a554a8e63f5d05b880e416a9d0999d628d033f03

        SHA256

        fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

        SHA512

        fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

      • C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
        Filesize

        213KB

        MD5

        a22b4c1514f696b13a2862aea769ba6a

        SHA1

        a554a8e63f5d05b880e416a9d0999d628d033f03

        SHA256

        fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

        SHA512

        fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

      • C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
        Filesize

        261KB

        MD5

        ba2af377d1a970e8e083e4c4cec745e2

        SHA1

        a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

        SHA256

        f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

        SHA512

        eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

      • C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
        Filesize

        261KB

        MD5

        ba2af377d1a970e8e083e4c4cec745e2

        SHA1

        a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

        SHA256

        f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

        SHA512

        eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

      • C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
        Filesize

        261KB

        MD5

        ba2af377d1a970e8e083e4c4cec745e2

        SHA1

        a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

        SHA256

        f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

        SHA512

        eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

      • memory/928-134-0x0000000000000000-mapping.dmp
      • memory/1160-147-0x0000000000000000-mapping.dmp
      • memory/1160-151-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/4024-145-0x00000000035F0000-0x00000000035F7000-memory.dmp
        Filesize

        28KB

      • memory/4364-149-0x0000000000000000-mapping.dmp
      • memory/4364-152-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

      • memory/4364-153-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

      • memory/4552-139-0x0000000000000000-mapping.dmp
      • memory/4708-143-0x0000000000000000-mapping.dmp
      • memory/4708-146-0x0000000000400000-0x0000000000493000-memory.dmp
        Filesize

        588KB