Analysis Overview
SHA256
b9acbe3e107eb4dd11e9fcaef4ec4f394cf1cbb017a57193786ba03c6f8fd0db
Threat Level: Known bad
The file 0d0bfea25b921d11907d61def9e94c6e was found to be: Known bad.
Malicious Activity Summary
Azorult
Oski
Raccoon Stealer V1 payload
Raccoon
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-19 10:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-19 10:50
Reported
2023-12-19 13:27
Platform
win7-20231215-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1696 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe |
| PID 2964 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | C:\Users\Admin\AppData\Local\Temp\ssme.exe |
| PID 2248 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe
"C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe
"C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | milsom.ug | udp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | tcp | |
| NL | 149.154.167.99:443 | tcp |
Files
memory/1696-2-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\ssme.exe
| MD5 | 59337e167d10c145b4907027b618ae62 |
| SHA1 | 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b |
| SHA256 | b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4 |
| SHA512 | 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52 |
\Users\Admin\AppData\Local\Temp\faame.exe
| MD5 | 2618de7ce265814bb7c9db2d040a648c |
| SHA1 | 8124cdb548ade9b39c84cc3d87de270e46bd0496 |
| SHA256 | 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622 |
| SHA512 | 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253 |
memory/1696-23-0x00000000025A0000-0x00000000025A7000-memory.dmp
memory/2992-26-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2964-32-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2248-36-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2680-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2732-40-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2732-31-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2992-41-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2992-44-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2680-45-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2732-46-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2732-49-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2732-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2992-50-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2680-51-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-52-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2680-60-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2680-61-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-19 10:50
Reported
2023-12-19 13:28
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1060 set thread context of 3140 | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe |
| PID 684 set thread context of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | C:\Users\Admin\AppData\Local\Temp\ssme.exe |
| PID 1772 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe
"C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe
"C:\Users\Admin\AppData\Local\Temp\0d0bfea25b921d11907d61def9e94c6e.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 656 -ip 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| US | 8.8.8.8:53 | milsom.ug | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/1060-2-0x0000000077DF2000-0x0000000077DF3000-memory.dmp
memory/1060-3-0x0000000000B00000-0x0000000000B01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ssme.exe
| MD5 | 59337e167d10c145b4907027b618ae62 |
| SHA1 | 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b |
| SHA256 | b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4 |
| SHA512 | 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52 |
C:\Users\Admin\AppData\Local\Temp\faame.exe
| MD5 | 2618de7ce265814bb7c9db2d040a648c |
| SHA1 | 8124cdb548ade9b39c84cc3d87de270e46bd0496 |
| SHA256 | 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622 |
| SHA512 | 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253 |
memory/684-28-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
memory/1772-31-0x00000000020C0000-0x00000000020C1000-memory.dmp
memory/1060-32-0x0000000003650000-0x0000000003657000-memory.dmp
memory/3140-33-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3140-34-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3140-35-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3140-38-0x0000000000600000-0x0000000000601000-memory.dmp
memory/3140-37-0x0000000077DF2000-0x0000000077DF3000-memory.dmp
memory/3396-39-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3396-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3396-44-0x0000000077DF2000-0x0000000077DF3000-memory.dmp
memory/3396-45-0x0000000000590000-0x0000000000591000-memory.dmp
memory/3396-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/656-48-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3396-47-0x0000000000400000-0x0000000000420000-memory.dmp
memory/656-50-0x0000000000400000-0x0000000000438000-memory.dmp
memory/656-51-0x0000000000400000-0x0000000000438000-memory.dmp
memory/656-53-0x0000000077DF2000-0x0000000077DF3000-memory.dmp
memory/656-54-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/656-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/656-58-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3140-59-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3140-60-0x0000000000400000-0x0000000000493000-memory.dmp