Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-02-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
8dcc97027d77b67586b46d6ba571d2b4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8dcc97027d77b67586b46d6ba571d2b4.exe
Resource
win10v2004-20231215-en
General
-
Target
8dcc97027d77b67586b46d6ba571d2b4.exe
-
Size
1.5MB
-
MD5
8dcc97027d77b67586b46d6ba571d2b4
-
SHA1
ad22432eda3951e822f5a5ec37e66d503a4703eb
-
SHA256
3bdaeb542939de272d46fa125a9fbfc4a2bb551c3a49c5fbb68d17c45a11446d
-
SHA512
233a913966a876ad4d7604a4f9c646fabba8e2c6e5d5a125f2317e6168efa05aa001e7a183b293fc573717b540983777fcf17acfe9bb1c0ff98ced401ceedbbd
-
SSDEEP
24576:i13JKz0ildRWDDD/I1bH1tORRC+ixrw3ORR1+h5LORR5+X1S:i15KzmD+T1toC+ixrw3o1+h5Lo5+X1S
Malware Config
Extracted
raccoon
c81fb6015c832710f869f6911e1aec18747e0184
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
kullasa.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2800-26-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2800-41-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2800-45-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/2800-46-0x0000000000400000-0x0000000000492000-memory.dmp family_raccoon_v1 behavioral1/memory/2800-60-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 4 IoCs
Processes:
Vdgfgjkhsdwr.exeDropakcx.exeDropakcx.exeVdgfgjkhsdwr.exepid process 3004 Vdgfgjkhsdwr.exe 2524 Dropakcx.exe 2700 Dropakcx.exe 2928 Vdgfgjkhsdwr.exe -
Loads dropped DLL 11 IoCs
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exeWerFault.exepid process 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 2524 Dropakcx.exe 3004 Vdgfgjkhsdwr.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe 2852 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exedescription pid process target process PID 1340 set thread context of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 2524 set thread context of 2700 2524 Dropakcx.exe Dropakcx.exe PID 3004 set thread context of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2852 2700 WerFault.exe Dropakcx.exe -
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 8dcc97027d77b67586b46d6ba571d2b4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 8dcc97027d77b67586b46d6ba571d2b4.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exepid process 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 2524 Dropakcx.exe 3004 Vdgfgjkhsdwr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exepid process 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 2524 Dropakcx.exe 3004 Vdgfgjkhsdwr.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exeDropakcx.exedescription pid process target process PID 1340 wrote to memory of 3004 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Vdgfgjkhsdwr.exe PID 1340 wrote to memory of 3004 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Vdgfgjkhsdwr.exe PID 1340 wrote to memory of 3004 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Vdgfgjkhsdwr.exe PID 1340 wrote to memory of 3004 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Vdgfgjkhsdwr.exe PID 1340 wrote to memory of 2524 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Dropakcx.exe PID 1340 wrote to memory of 2524 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Dropakcx.exe PID 1340 wrote to memory of 2524 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Dropakcx.exe PID 1340 wrote to memory of 2524 1340 8dcc97027d77b67586b46d6ba571d2b4.exe Dropakcx.exe PID 1340 wrote to memory of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 1340 wrote to memory of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 1340 wrote to memory of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 1340 wrote to memory of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 1340 wrote to memory of 2800 1340 8dcc97027d77b67586b46d6ba571d2b4.exe 8dcc97027d77b67586b46d6ba571d2b4.exe PID 2524 wrote to memory of 2700 2524 Dropakcx.exe Dropakcx.exe PID 2524 wrote to memory of 2700 2524 Dropakcx.exe Dropakcx.exe PID 2524 wrote to memory of 2700 2524 Dropakcx.exe Dropakcx.exe PID 2524 wrote to memory of 2700 2524 Dropakcx.exe Dropakcx.exe PID 2524 wrote to memory of 2700 2524 Dropakcx.exe Dropakcx.exe PID 3004 wrote to memory of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe PID 3004 wrote to memory of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe PID 3004 wrote to memory of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe PID 3004 wrote to memory of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe PID 3004 wrote to memory of 2928 3004 Vdgfgjkhsdwr.exe Vdgfgjkhsdwr.exe PID 2700 wrote to memory of 2852 2700 Dropakcx.exe WerFault.exe PID 2700 wrote to memory of 2852 2700 Dropakcx.exe WerFault.exe PID 2700 wrote to memory of 2852 2700 Dropakcx.exe WerFault.exe PID 2700 wrote to memory of 2852 2700 Dropakcx.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Vdgfgjkhsdwr.exe"C:\ProgramData\Vdgfgjkhsdwr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Vdgfgjkhsdwr.exe"C:\ProgramData\Vdgfgjkhsdwr.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\Dropakcx.exe"C:\ProgramData\Dropakcx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Dropakcx.exe"C:\ProgramData\Dropakcx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 7804⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"2⤵
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dropakcx.exeFilesize
444KB
MD5e21551a13085e0ba0fad3e733d807559
SHA187aeaaf58c1d8cf23755697489267f289e7c5780
SHA256abf5833a2ffa007792753f5d49fd21f00a2c8d20e623f57d9e3748c41fb1435a
SHA51221497f7f742b5c2e61bd5b04e10eb71538d6bafd9c00aa793f9798a7035b9c02ac80bce3baa38d6e97a10239df726246a157b8c7db5ceffc31937187659ac189
-
C:\ProgramData\Dropakcx.exeFilesize
351KB
MD5c8743b5adf8d41b30759e0b3cf90d5e9
SHA1ebde06255cf726e4eaa6c4568c958cb9c34b92dd
SHA256a1531f02c5b450aec494f892131135e7a84945f72b9197a5d8c5e604b23b5dc7
SHA5125aa27e97ef87b21945958485381032e031af7200ffda8a2931c7108d483bfe27e6c890b71774c6bd3b9e7a0f327a5e1477d31e981971f3a8fbc1441077f34cb7
-
C:\ProgramData\Vdgfgjkhsdwr.exeFilesize
315KB
MD53b44bd97a18196b7960831f0a90baf41
SHA13e6b918a2d29a17b9419ea260786db705ba2794a
SHA256c9c838a115a9c9f662e324f5f34be5f4275e73b64b1061672fa7ec88f3dd0eca
SHA512cc3807218fe08dc903bebe76656148c1426b938bf09cd8f6fb28ef4ad8f3bf893cb4706790fa82f835fefff3f34d70763ec53eb2142b1a3ebe6c8e42e08778de
-
C:\ProgramData\Vdgfgjkhsdwr.exeFilesize
375KB
MD5e67dabcc0cfd964ada27a2c160ce253e
SHA188b4c598a8fe62e2cd38046f26ba9ba7a6d368c5
SHA2562ab840136702c6336403dbd913f3910135b622accb4c8fb585ca96085e9419a1
SHA5125f0ac2f2595026da34ff71717f1410efac14a0aa4b38bddb7643c235c9ee3f00673d3f27719eee8d970f403ac55986050bee1355bd6c22b7ff77807d983b8e03
-
\ProgramData\Dropakcx.exeFilesize
331KB
MD5e2b1a6633acfe733f9efdadd2f3ab690
SHA1dc88d002bd93ff1a3ae48f7815013046931a8230
SHA25659ba611c8762341a28a470cef09c3fb57862db0b70dc6d6674e6281d74845d18
SHA51255e0c9cfee285c0e7ba7aa7d6e30a75f65cf812d24463723cf4ac15e34ed6f2e568535913b0a0c38da23ac07e3e1addc3db111c85b6c7dc61a55e06bc47fabb4
-
\ProgramData\Vdgfgjkhsdwr.exeFilesize
396KB
MD5b92b398d4e25a976dc699f2099fa8452
SHA1900e6fedf9898adbbc5f3dc7185372ffb811c8ad
SHA2566deb2679783cdd1f005ef86488a11de88fe52443f31f0c6e481b51f307271177
SHA5125b854a34d489a94d2b193af192cb0d9f224ef1b7d2d0cd50b119a9cd24693c720482e9ddf910b2e9e0ef44e8ad263aa4a69094b503a01ff9a177d8c2cef5f1ed
-
memory/1340-22-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/1340-2-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2524-49-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2524-27-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2700-31-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2700-57-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2700-59-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2700-40-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2700-44-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2700-47-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2800-41-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2800-45-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2800-60-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2800-46-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2800-26-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2928-48-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2928-37-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3004-34-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB