Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 11:10
Static task
static1
Behavioral task
behavioral1
Sample
7fb10b8ea68c1e0064730018fca3cb39.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7fb10b8ea68c1e0064730018fca3cb39.exe
Resource
win10v2004-20231215-en
General
-
Target
7fb10b8ea68c1e0064730018fca3cb39.exe
-
Size
992KB
-
MD5
7fb10b8ea68c1e0064730018fca3cb39
-
SHA1
41c371b7053bcf1b7867aeada51e716650afa19a
-
SHA256
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
-
SHA512
ffe7dd92b0e97fe67bac000ff14bb299d5a0ef353ce965389d52715b9048ec61f9855c6ef8f16dd423f60d490cc2321d3c35e4a6277f2319ec0c482e288bc3aa
-
SSDEEP
24576:/E0lHcgqgh7/0tgIugNw6GQlGDI/NKs/Y:/Ew8gXYzVtGQVNn/Y
Malware Config
Extracted
oski
danielmax.ac.ug
Extracted
raccoon
1.7.3
fe25b858c52ebb889260990dc343e5dbcf4a96e4
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 6 IoCs
resource yara_rule behavioral2/memory/2568-39-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral2/memory/2568-43-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral2/memory/2568-35-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral2/memory/2568-34-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral2/memory/2568-60-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral2/memory/2568-61-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 7fb10b8ea68c1e0064730018fca3cb39.exe -
Executes dropped EXE 4 IoCs
pid Process 1456 GFDyrtucbvfdg.exe 3708 DSFnbyhgfrtydfg.exe 3312 DSFnbyhgfrtydfg.exe 3040 GFDyrtucbvfdg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3708 set thread context of 3312 3708 DSFnbyhgfrtydfg.exe 88 PID 960 set thread context of 2568 960 7fb10b8ea68c1e0064730018fca3cb39.exe 87 PID 1456 set thread context of 3040 1456 GFDyrtucbvfdg.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1916 3312 WerFault.exe 88 -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3708 DSFnbyhgfrtydfg.exe 960 7fb10b8ea68c1e0064730018fca3cb39.exe 1456 GFDyrtucbvfdg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 960 7fb10b8ea68c1e0064730018fca3cb39.exe 1456 GFDyrtucbvfdg.exe 3708 DSFnbyhgfrtydfg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 960 wrote to memory of 1456 960 7fb10b8ea68c1e0064730018fca3cb39.exe 85 PID 960 wrote to memory of 1456 960 7fb10b8ea68c1e0064730018fca3cb39.exe 85 PID 960 wrote to memory of 1456 960 7fb10b8ea68c1e0064730018fca3cb39.exe 85 PID 960 wrote to memory of 3708 960 7fb10b8ea68c1e0064730018fca3cb39.exe 86 PID 960 wrote to memory of 3708 960 7fb10b8ea68c1e0064730018fca3cb39.exe 86 PID 960 wrote to memory of 3708 960 7fb10b8ea68c1e0064730018fca3cb39.exe 86 PID 3708 wrote to memory of 3312 3708 DSFnbyhgfrtydfg.exe 88 PID 3708 wrote to memory of 3312 3708 DSFnbyhgfrtydfg.exe 88 PID 3708 wrote to memory of 3312 3708 DSFnbyhgfrtydfg.exe 88 PID 960 wrote to memory of 2568 960 7fb10b8ea68c1e0064730018fca3cb39.exe 87 PID 960 wrote to memory of 2568 960 7fb10b8ea68c1e0064730018fca3cb39.exe 87 PID 960 wrote to memory of 2568 960 7fb10b8ea68c1e0064730018fca3cb39.exe 87 PID 3708 wrote to memory of 3312 3708 DSFnbyhgfrtydfg.exe 88 PID 960 wrote to memory of 2568 960 7fb10b8ea68c1e0064730018fca3cb39.exe 87 PID 1456 wrote to memory of 3040 1456 GFDyrtucbvfdg.exe 89 PID 1456 wrote to memory of 3040 1456 GFDyrtucbvfdg.exe 89 PID 1456 wrote to memory of 3040 1456 GFDyrtucbvfdg.exe 89 PID 1456 wrote to memory of 3040 1456 GFDyrtucbvfdg.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\ProgramData\GFDyrtucbvfdg.exe"C:\ProgramData\GFDyrtucbvfdg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\ProgramData\GFDyrtucbvfdg.exe"C:\ProgramData\GFDyrtucbvfdg.exe"3⤵
- Executes dropped EXE
PID:3040
-
-
-
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"3⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 13004⤵
- Program crash
PID:1916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"2⤵PID:2568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3312 -ip 33121⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5701f6f95d5e205b53b3a74403d46981a
SHA13e614af86675b0de761adb5d2fa271bfb3142b95
SHA25636b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15
-
Filesize
252KB
MD593fffc6736b1dd95a4f4e88734e9d540
SHA1509a9acffd9b9123fff2a3df9a860b829210f80a
SHA25680b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed