Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:22
Static task
static1
Behavioral task
behavioral1
Sample
d95b0b49d1297b2575f3df70d569f294.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d95b0b49d1297b2575f3df70d569f294.exe
Resource
win10v2004-20231215-en
General
-
Target
d95b0b49d1297b2575f3df70d569f294.exe
-
Size
968KB
-
MD5
d95b0b49d1297b2575f3df70d569f294
-
SHA1
8cce459259d4aa52e7ec0c740ba5a9e0583fc250
-
SHA256
ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30
-
SHA512
b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd
-
SSDEEP
24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6
Malware Config
Extracted
raccoon
43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
mazooyaar.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 4 IoCs
resource yara_rule behavioral1/memory/2768-26-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral1/memory/2768-42-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral1/memory/2768-48-0x0000000000400000-0x0000000000492000-memory.dmp family_raccoon_v1 behavioral1/memory/2768-60-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 4 IoCs
pid Process 2084 vcxfse.exe 1856 cbvjns.exe 2484 cbvjns.exe 2332 vcxfse.exe -
Loads dropped DLL 11 IoCs
pid Process 320 d95b0b49d1297b2575f3df70d569f294.exe 320 d95b0b49d1297b2575f3df70d569f294.exe 320 d95b0b49d1297b2575f3df70d569f294.exe 320 d95b0b49d1297b2575f3df70d569f294.exe 1856 cbvjns.exe 2084 vcxfse.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 320 set thread context of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 1856 set thread context of 2484 1856 cbvjns.exe 30 PID 2084 set thread context of 2332 2084 vcxfse.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1480 2332 WerFault.exe 29 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 d95b0b49d1297b2575f3df70d569f294.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 d95b0b49d1297b2575f3df70d569f294.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 320 d95b0b49d1297b2575f3df70d569f294.exe 1856 cbvjns.exe 2084 vcxfse.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 320 d95b0b49d1297b2575f3df70d569f294.exe 1856 cbvjns.exe 2084 vcxfse.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 320 wrote to memory of 2084 320 d95b0b49d1297b2575f3df70d569f294.exe 28 PID 320 wrote to memory of 2084 320 d95b0b49d1297b2575f3df70d569f294.exe 28 PID 320 wrote to memory of 2084 320 d95b0b49d1297b2575f3df70d569f294.exe 28 PID 320 wrote to memory of 2084 320 d95b0b49d1297b2575f3df70d569f294.exe 28 PID 320 wrote to memory of 1856 320 d95b0b49d1297b2575f3df70d569f294.exe 32 PID 320 wrote to memory of 1856 320 d95b0b49d1297b2575f3df70d569f294.exe 32 PID 320 wrote to memory of 1856 320 d95b0b49d1297b2575f3df70d569f294.exe 32 PID 320 wrote to memory of 1856 320 d95b0b49d1297b2575f3df70d569f294.exe 32 PID 320 wrote to memory of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 320 wrote to memory of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 320 wrote to memory of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 320 wrote to memory of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 320 wrote to memory of 2768 320 d95b0b49d1297b2575f3df70d569f294.exe 31 PID 1856 wrote to memory of 2484 1856 cbvjns.exe 30 PID 1856 wrote to memory of 2484 1856 cbvjns.exe 30 PID 1856 wrote to memory of 2484 1856 cbvjns.exe 30 PID 1856 wrote to memory of 2484 1856 cbvjns.exe 30 PID 1856 wrote to memory of 2484 1856 cbvjns.exe 30 PID 2084 wrote to memory of 2332 2084 vcxfse.exe 29 PID 2084 wrote to memory of 2332 2084 vcxfse.exe 29 PID 2084 wrote to memory of 2332 2084 vcxfse.exe 29 PID 2084 wrote to memory of 2332 2084 vcxfse.exe 29 PID 2084 wrote to memory of 2332 2084 vcxfse.exe 29 PID 2332 wrote to memory of 1480 2332 vcxfse.exe 36 PID 2332 wrote to memory of 1480 2332 vcxfse.exe 36 PID 2332 wrote to memory of 1480 2332 vcxfse.exe 36 PID 2332 wrote to memory of 1480 2332 vcxfse.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 6884⤵
- Loads dropped DLL
- Program crash
PID:1480
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"2⤵
- Modifies system certificate store
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
-
-
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"1⤵
- Executes dropped EXE
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5f7827eb2162c2502724c743c05f18328
SHA12c6689558745f8cd3fb73b32ade3749cfbd0e559
SHA256d33336cd7a50482a7fcf58336bc64668db37db3964b9f83ff5504b28cce633f3
SHA512ef7178dc24ca084a91df37f496d744de358611ab6394d1be614a80d7836e4a7eeac6c74f87c60f1612dc012c2e548469db94b0b6c5b35513094efd15243a91ae
-
Filesize
200KB
MD5b0ba9efb326279b8afe5e8a2656588ea
SHA1eb42914b53580850dd56dcf6ddc80334d3bfcb45
SHA2566950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7
SHA512cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a
-
Filesize
93KB
MD50c78e99f91388822e01f3f200aeaadb5
SHA16f86564149892392b7bcd43f00817d31e20263ce
SHA2569466c3f8978889516d0c74ead1968b132ed2d2cf383272da66500c948ae9db1b
SHA51286365d7ac406b7c78c9d7dd7da540da946e56510517a4479c08b375c2d8cd4dff21e8b864188d6435965a36bff2125ee521e11bcf2f96dbe11bb4e00df610f41
-
Filesize
248KB
MD52c065af519ad099f60a7286e3f0dc1d3
SHA115b7a2da624a9cb2e7750dfc17ca853520e99e01
SHA256822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17
SHA512f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a