Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2024 00:50

General

  • Target

    8dcc97027d77b67586b46d6ba571d2b4.exe

  • Size

    1.5MB

  • MD5

    8dcc97027d77b67586b46d6ba571d2b4

  • SHA1

    ad22432eda3951e822f5a5ec37e66d503a4703eb

  • SHA256

    3bdaeb542939de272d46fa125a9fbfc4a2bb551c3a49c5fbb68d17c45a11446d

  • SHA512

    233a913966a876ad4d7604a4f9c646fabba8e2c6e5d5a125f2317e6168efa05aa001e7a183b293fc573717b540983777fcf17acfe9bb1c0ff98ced401ceedbbd

  • SSDEEP

    24576:i13JKz0ildRWDDD/I1bH1tORRC+ixrw3ORR1+h5LORR5+X1S:i15KzmD+T1toC+ixrw3o1+h5Lo5+X1S

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

kullasa.ac.ug

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Raccoon Stealer V1 payload 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe
    "C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\ProgramData\Vdgfgjkhsdwr.exe
      "C:\ProgramData\Vdgfgjkhsdwr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\ProgramData\Vdgfgjkhsdwr.exe
        "C:\ProgramData\Vdgfgjkhsdwr.exe"
        3⤵
        • Executes dropped EXE
        PID:2928
    • C:\ProgramData\Dropakcx.exe
      "C:\ProgramData\Dropakcx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\ProgramData\Dropakcx.exe
        "C:\ProgramData\Dropakcx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 780
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2852
    • C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe
      "C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"
      2⤵
      • Modifies system certificate store
      PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Dropakcx.exe
    Filesize

    444KB

    MD5

    e21551a13085e0ba0fad3e733d807559

    SHA1

    87aeaaf58c1d8cf23755697489267f289e7c5780

    SHA256

    abf5833a2ffa007792753f5d49fd21f00a2c8d20e623f57d9e3748c41fb1435a

    SHA512

    21497f7f742b5c2e61bd5b04e10eb71538d6bafd9c00aa793f9798a7035b9c02ac80bce3baa38d6e97a10239df726246a157b8c7db5ceffc31937187659ac189

  • C:\ProgramData\Dropakcx.exe
    Filesize

    351KB

    MD5

    c8743b5adf8d41b30759e0b3cf90d5e9

    SHA1

    ebde06255cf726e4eaa6c4568c958cb9c34b92dd

    SHA256

    a1531f02c5b450aec494f892131135e7a84945f72b9197a5d8c5e604b23b5dc7

    SHA512

    5aa27e97ef87b21945958485381032e031af7200ffda8a2931c7108d483bfe27e6c890b71774c6bd3b9e7a0f327a5e1477d31e981971f3a8fbc1441077f34cb7

  • C:\ProgramData\Vdgfgjkhsdwr.exe
    Filesize

    315KB

    MD5

    3b44bd97a18196b7960831f0a90baf41

    SHA1

    3e6b918a2d29a17b9419ea260786db705ba2794a

    SHA256

    c9c838a115a9c9f662e324f5f34be5f4275e73b64b1061672fa7ec88f3dd0eca

    SHA512

    cc3807218fe08dc903bebe76656148c1426b938bf09cd8f6fb28ef4ad8f3bf893cb4706790fa82f835fefff3f34d70763ec53eb2142b1a3ebe6c8e42e08778de

  • C:\ProgramData\Vdgfgjkhsdwr.exe
    Filesize

    375KB

    MD5

    e67dabcc0cfd964ada27a2c160ce253e

    SHA1

    88b4c598a8fe62e2cd38046f26ba9ba7a6d368c5

    SHA256

    2ab840136702c6336403dbd913f3910135b622accb4c8fb585ca96085e9419a1

    SHA512

    5f0ac2f2595026da34ff71717f1410efac14a0aa4b38bddb7643c235c9ee3f00673d3f27719eee8d970f403ac55986050bee1355bd6c22b7ff77807d983b8e03

  • \ProgramData\Dropakcx.exe
    Filesize

    331KB

    MD5

    e2b1a6633acfe733f9efdadd2f3ab690

    SHA1

    dc88d002bd93ff1a3ae48f7815013046931a8230

    SHA256

    59ba611c8762341a28a470cef09c3fb57862db0b70dc6d6674e6281d74845d18

    SHA512

    55e0c9cfee285c0e7ba7aa7d6e30a75f65cf812d24463723cf4ac15e34ed6f2e568535913b0a0c38da23ac07e3e1addc3db111c85b6c7dc61a55e06bc47fabb4

  • \ProgramData\Vdgfgjkhsdwr.exe
    Filesize

    396KB

    MD5

    b92b398d4e25a976dc699f2099fa8452

    SHA1

    900e6fedf9898adbbc5f3dc7185372ffb811c8ad

    SHA256

    6deb2679783cdd1f005ef86488a11de88fe52443f31f0c6e481b51f307271177

    SHA512

    5b854a34d489a94d2b193af192cb0d9f224ef1b7d2d0cd50b119a9cd24693c720482e9ddf910b2e9e0ef44e8ad263aa4a69094b503a01ff9a177d8c2cef5f1ed

  • memory/1340-22-0x0000000002690000-0x0000000002698000-memory.dmp
    Filesize

    32KB

  • memory/1340-2-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2524-49-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

  • memory/2524-27-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

  • memory/2700-31-0x0000000000400000-0x0000000000439000-memory.dmp
    Filesize

    228KB

  • memory/2700-57-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

  • memory/2700-59-0x0000000000400000-0x0000000000439000-memory.dmp
    Filesize

    228KB

  • memory/2700-40-0x0000000000400000-0x0000000000439000-memory.dmp
    Filesize

    228KB

  • memory/2700-44-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2700-47-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

  • memory/2800-41-0x0000000000400000-0x0000000000497000-memory.dmp
    Filesize

    604KB

  • memory/2800-45-0x0000000000400000-0x0000000000497000-memory.dmp
    Filesize

    604KB

  • memory/2800-60-0x0000000000400000-0x0000000000497000-memory.dmp
    Filesize

    604KB

  • memory/2800-46-0x0000000000400000-0x0000000000492000-memory.dmp
    Filesize

    584KB

  • memory/2800-26-0x0000000000400000-0x0000000000497000-memory.dmp
    Filesize

    604KB

  • memory/2928-48-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/2928-37-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

  • memory/3004-34-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB