Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 17:05
Static task
static1
Behavioral task
behavioral1
Sample
3a9684c70496f68a3cbd54fcdcb2ee1c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3a9684c70496f68a3cbd54fcdcb2ee1c.exe
Resource
win10v2004-20231215-en
General
-
Target
3a9684c70496f68a3cbd54fcdcb2ee1c.exe
-
Size
928KB
-
MD5
3a9684c70496f68a3cbd54fcdcb2ee1c
-
SHA1
cf8fae3e2150be663e13f34760dd64f64e4ee7c4
-
SHA256
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
-
SHA512
98c45b91d1015d9514a20cd876661dde7e5224542b7130a36d3e54c54d7c61b530b4d17999f2ffc34e0e6500d57831cbdc1716d42bd6f9548ec72335f0b33112
-
SSDEEP
12288:eyQcYxggKGu0IRdqM5BLm75n8NYLo0HTrmhs2wIfOWTrrJ3TkczwF:/QcmggTu0IpLmmOL3Wh4Q1jdT1z4
Malware Config
Extracted
raccoon
c81fb6015c832710f869f6911e1aec18747e0184
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
gordonhk.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2840-21-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2840-44-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2840-47-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2840-51-0x0000000000400000-0x0000000000492000-memory.dmp family_raccoon_v1 behavioral1/memory/2840-60-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 4 IoCs
Processes:
Gerbvce.exeFDaqnav.exeFDaqnav.exeGerbvce.exepid process 2720 Gerbvce.exe 2844 FDaqnav.exe 2804 FDaqnav.exe 2336 Gerbvce.exe -
Loads dropped DLL 11 IoCs
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exeWerFault.exepid process 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2844 FDaqnav.exe 2720 Gerbvce.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exedescription pid process target process PID 2772 set thread context of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2844 set thread context of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2720 set thread context of 2336 2720 Gerbvce.exe Gerbvce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2680 2804 WerFault.exe FDaqnav.exe -
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 3a9684c70496f68a3cbd54fcdcb2ee1c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 3a9684c70496f68a3cbd54fcdcb2ee1c.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exepid process 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2844 FDaqnav.exe 2720 Gerbvce.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exeGerbvce.exeFDaqnav.exepid process 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 2720 Gerbvce.exe 2844 FDaqnav.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exeFDaqnav.exedescription pid process target process PID 2772 wrote to memory of 2720 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe Gerbvce.exe PID 2772 wrote to memory of 2720 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe Gerbvce.exe PID 2772 wrote to memory of 2720 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe Gerbvce.exe PID 2772 wrote to memory of 2720 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe Gerbvce.exe PID 2772 wrote to memory of 2844 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe FDaqnav.exe PID 2772 wrote to memory of 2844 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe FDaqnav.exe PID 2772 wrote to memory of 2844 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe FDaqnav.exe PID 2772 wrote to memory of 2844 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe FDaqnav.exe PID 2772 wrote to memory of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2772 wrote to memory of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2772 wrote to memory of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2772 wrote to memory of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2772 wrote to memory of 2840 2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe 3a9684c70496f68a3cbd54fcdcb2ee1c.exe PID 2844 wrote to memory of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2844 wrote to memory of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2844 wrote to memory of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2844 wrote to memory of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2844 wrote to memory of 2804 2844 FDaqnav.exe FDaqnav.exe PID 2720 wrote to memory of 2336 2720 Gerbvce.exe Gerbvce.exe PID 2720 wrote to memory of 2336 2720 Gerbvce.exe Gerbvce.exe PID 2720 wrote to memory of 2336 2720 Gerbvce.exe Gerbvce.exe PID 2720 wrote to memory of 2336 2720 Gerbvce.exe Gerbvce.exe PID 2720 wrote to memory of 2336 2720 Gerbvce.exe Gerbvce.exe PID 2804 wrote to memory of 2680 2804 FDaqnav.exe WerFault.exe PID 2804 wrote to memory of 2680 2804 FDaqnav.exe WerFault.exe PID 2804 wrote to memory of 2680 2804 FDaqnav.exe WerFault.exe PID 2804 wrote to memory of 2680 2804 FDaqnav.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 8244⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"2⤵
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\FDaqnav.exeFilesize
232KB
MD59234bd3aa66bbe301b7cf77e8576f820
SHA146d759d4feeb4e25fcdcad495457df9663175d41
SHA256ce85712c42070afa56c562527a150d513928284d20a0ba714ad0146f6ab9958a
SHA5124d168c47eea0ceda42543f5b1d2bef6aa6378de0df21287fc38b43206ec2514c428afba6acc2e66c8940e78d528e3eaffd0e0001bdb7da6af18d1892a5fd4921
-
\Users\Admin\AppData\Local\Temp\Gerbvce.exeFilesize
188KB
MD528acd195bfcdc02ed37f5d2d5dae52be
SHA1f8b7564585bc7cddf099faf1cec8de842d0d5cda
SHA25620c8f4ef93504ffbc086e44879fb8bf729dc86b5e460d3bc2cb61e73bbc79790
SHA512c3247e8e153a6a5a7e5c1dc0b7f8503cf94866904bb145ef28e6bd10a2bdd539a21fb97a81ed5a6a6fa1a8b91824c066f391a8cd155f4639ceaee5d596ba3a23
-
memory/2336-49-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2336-41-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2336-50-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2336-42-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2336-34-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2336-39-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2720-28-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2772-2-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2772-23-0x0000000001CD0000-0x0000000001CD8000-memory.dmpFilesize
32KB
-
memory/2804-31-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2804-43-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2804-52-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2804-54-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2804-62-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2840-44-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2840-47-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2840-48-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2840-21-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2840-51-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2840-60-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB