Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe
Resource
win10v2004-20220901-en
General
-
Target
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe
-
Size
1.5MB
-
MD5
82a0a0bd6084c5a28081310e75e7f608
-
SHA1
e5ce952e62af7efc484826c512a6f9b363b21877
-
SHA256
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
-
SHA512
19f0465a25d4fb885d42df63fa29191e2316a2acb35f1885d21d20d6706f1c1240a15a5dae618ee78ca98d9b5d11ce937d2f108740d0adbfd962eb28e1a9c27c
-
SSDEEP
24576:Fs50MV0ORVeA8iFZwkyIVH8oPMp4ySs50MIpNSlzqs50M0IW9KK5jNSDUXNSW1:Fs5VXh8lkHVHLMSs5IpIlzqs50h9KajX
Malware Config
Extracted
raccoon
1.7.1-hotfix
5e4db353b88c002ba6466c06437973619aad03b3
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
taenaiaa.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-84-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon -
Executes dropped EXE 4 IoCs
Processes:
FGbfttrev.exeFDvbcgfert.exeFGbfttrev.exeFDvbcgfert.exepid process 1356 FGbfttrev.exe 1528 FDvbcgfert.exe 1652 FGbfttrev.exe 268 FDvbcgfert.exe -
Loads dropped DLL 11 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exeWerFault.exepid process 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1356 FGbfttrev.exe 1528 FDvbcgfert.exe 1268 WerFault.exe 1268 WerFault.exe 1268 WerFault.exe 1268 WerFault.exe 1268 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exepid process 1380 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1380 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1652 FGbfttrev.exe 1652 FGbfttrev.exe 268 FDvbcgfert.exe 268 FDvbcgfert.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exedescription pid process target process PID 1096 set thread context of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1356 set thread context of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1528 set thread context of 268 1528 FDvbcgfert.exe FDvbcgfert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1268 268 WerFault.exe FDvbcgfert.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exepid process 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1356 FGbfttrev.exe 1528 FDvbcgfert.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exepid process 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe 1356 FGbfttrev.exe 1528 FDvbcgfert.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.exedescription pid process target process PID 1096 wrote to memory of 1356 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FGbfttrev.exe PID 1096 wrote to memory of 1356 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FGbfttrev.exe PID 1096 wrote to memory of 1356 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FGbfttrev.exe PID 1096 wrote to memory of 1356 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FGbfttrev.exe PID 1096 wrote to memory of 1528 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FDvbcgfert.exe PID 1096 wrote to memory of 1528 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FDvbcgfert.exe PID 1096 wrote to memory of 1528 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FDvbcgfert.exe PID 1096 wrote to memory of 1528 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe FDvbcgfert.exe PID 1096 wrote to memory of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1096 wrote to memory of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1096 wrote to memory of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1096 wrote to memory of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1096 wrote to memory of 1380 1096 bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe PID 1356 wrote to memory of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1356 wrote to memory of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1356 wrote to memory of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1356 wrote to memory of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1356 wrote to memory of 1652 1356 FGbfttrev.exe FGbfttrev.exe PID 1528 wrote to memory of 268 1528 FDvbcgfert.exe FDvbcgfert.exe PID 1528 wrote to memory of 268 1528 FDvbcgfert.exe FDvbcgfert.exe PID 1528 wrote to memory of 268 1528 FDvbcgfert.exe FDvbcgfert.exe PID 1528 wrote to memory of 268 1528 FDvbcgfert.exe FDvbcgfert.exe PID 1528 wrote to memory of 268 1528 FDvbcgfert.exe FDvbcgfert.exe PID 268 wrote to memory of 1268 268 FDvbcgfert.exe WerFault.exe PID 268 wrote to memory of 1268 268 FDvbcgfert.exe WerFault.exe PID 268 wrote to memory of 1268 268 FDvbcgfert.exe WerFault.exe PID 268 wrote to memory of 1268 268 FDvbcgfert.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe"C:\Users\Admin\AppData\Local\Temp\bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 8524⤵
- Loads dropped DLL
- Program crash
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe"C:\Users\Admin\AppData\Local\Temp\bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
420KB
MD5d049fbafad4b2c9b7b87f1829bf7fbd3
SHA10f278439d7f8a2d2b59f7f2bcc170f95a73a801c
SHA25621fcc232b455d672de28438316b81c83e8b76ae49f018e4ba9cb8591aafa5a75
SHA5126fa0636060f30cdad98895e9619d8bb242fd99aea45e03e693193f0bf4f1de9d64dcb6c90126eeafe10eaf1f728ce82bcb7266fb1953042dc121af44bc9e107c
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4
-
Filesize
372KB
MD54063022826bcef08b84ff49f7fe4a985
SHA164a404f2a549d3e3652366c5b1dcb974385d5172
SHA2561c41167bea31c704e8882e3bbd6af9e76b51969a6a1c3294ad8a6f911aa496d9
SHA51232e95a50153f9b5a40314791acd894851551de222dd5ed42f05067cef49fcff0da8d6ecfc2c828f0c886dc28abb570123b79f9be641ba07ddaa589093b9ea0e4