Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
be1aaef37143496d75cb83643ff63f8c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
be1aaef37143496d75cb83643ff63f8c.exe
Resource
win10v2004-20240226-en
General
-
Target
be1aaef37143496d75cb83643ff63f8c.exe
-
Size
968KB
-
MD5
be1aaef37143496d75cb83643ff63f8c
-
SHA1
849a5bfbfdc16cad6c10edbaadcc4bad71756620
-
SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
-
SHA512
478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737
-
SSDEEP
24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgL:waWNC7hLVVL1sX3WxKZKgW2hrKd7jE
Malware Config
Extracted
raccoon
43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
mazooyaar.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp family_raccoon_v1 behavioral2/memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be1aaef37143496d75cb83643ff63f8c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation be1aaef37143496d75cb83643ff63f8c.exe -
Executes dropped EXE 4 IoCs
Processes:
vcxfse.execbvjns.exevcxfse.execbvjns.exepid process 4860 vcxfse.exe 3468 cbvjns.exe 3340 vcxfse.exe 3208 cbvjns.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exedescription pid process target process PID 4952 set thread context of 4944 4952 be1aaef37143496d75cb83643ff63f8c.exe be1aaef37143496d75cb83643ff63f8c.exe PID 4860 set thread context of 3340 4860 vcxfse.exe vcxfse.exe PID 3468 set thread context of 3208 3468 cbvjns.exe cbvjns.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3684 3340 WerFault.exe vcxfse.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exepid process 4952 be1aaef37143496d75cb83643ff63f8c.exe 4860 vcxfse.exe 3468 cbvjns.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exepid process 4952 be1aaef37143496d75cb83643ff63f8c.exe 4860 vcxfse.exe 3468 cbvjns.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exedescription pid process target process PID 4952 wrote to memory of 4860 4952 be1aaef37143496d75cb83643ff63f8c.exe vcxfse.exe PID 4952 wrote to memory of 4860 4952 be1aaef37143496d75cb83643ff63f8c.exe vcxfse.exe PID 4952 wrote to memory of 4860 4952 be1aaef37143496d75cb83643ff63f8c.exe vcxfse.exe PID 4952 wrote to memory of 3468 4952 be1aaef37143496d75cb83643ff63f8c.exe cbvjns.exe PID 4952 wrote to memory of 3468 4952 be1aaef37143496d75cb83643ff63f8c.exe cbvjns.exe PID 4952 wrote to memory of 3468 4952 be1aaef37143496d75cb83643ff63f8c.exe cbvjns.exe PID 4952 wrote to memory of 4944 4952 be1aaef37143496d75cb83643ff63f8c.exe be1aaef37143496d75cb83643ff63f8c.exe PID 4952 wrote to memory of 4944 4952 be1aaef37143496d75cb83643ff63f8c.exe be1aaef37143496d75cb83643ff63f8c.exe PID 4952 wrote to memory of 4944 4952 be1aaef37143496d75cb83643ff63f8c.exe be1aaef37143496d75cb83643ff63f8c.exe PID 4952 wrote to memory of 4944 4952 be1aaef37143496d75cb83643ff63f8c.exe be1aaef37143496d75cb83643ff63f8c.exe PID 4860 wrote to memory of 3340 4860 vcxfse.exe vcxfse.exe PID 4860 wrote to memory of 3340 4860 vcxfse.exe vcxfse.exe PID 4860 wrote to memory of 3340 4860 vcxfse.exe vcxfse.exe PID 4860 wrote to memory of 3340 4860 vcxfse.exe vcxfse.exe PID 3468 wrote to memory of 3208 3468 cbvjns.exe cbvjns.exe PID 3468 wrote to memory of 3208 3468 cbvjns.exe cbvjns.exe PID 3468 wrote to memory of 3208 3468 cbvjns.exe cbvjns.exe PID 3468 wrote to memory of 3208 3468 cbvjns.exe cbvjns.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 12804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3340 -ip 33401⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cbvjns.exeFilesize
200KB
MD5b0ba9efb326279b8afe5e8a2656588ea
SHA1eb42914b53580850dd56dcf6ddc80334d3bfcb45
SHA2566950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7
SHA512cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a
-
C:\Users\Admin\AppData\Local\Temp\vcxfse.exeFilesize
248KB
MD52c065af519ad099f60a7286e3f0dc1d3
SHA115b7a2da624a9cb2e7750dfc17ca853520e99e01
SHA256822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17
SHA512f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a
-
memory/3208-56-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/3208-42-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3208-54-0x0000000077AE2000-0x0000000077AE3000-memory.dmpFilesize
4KB
-
memory/3208-55-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3208-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3208-57-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3208-51-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3340-52-0x0000000002050000-0x0000000002051000-memory.dmpFilesize
4KB
-
memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3340-40-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3340-44-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3340-62-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3340-50-0x0000000077AE2000-0x0000000077AE3000-memory.dmpFilesize
4KB
-
memory/3340-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3468-36-0x0000000000990000-0x0000000000997000-memory.dmpFilesize
28KB
-
memory/3468-31-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/4860-49-0x0000000000910000-0x0000000000917000-memory.dmpFilesize
28KB
-
memory/4860-34-0x0000000000910000-0x0000000000917000-memory.dmpFilesize
28KB
-
memory/4860-29-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/4944-43-0x0000000077AE2000-0x0000000077AE3000-memory.dmpFilesize
4KB
-
memory/4944-45-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4952-2-0x0000000077AE2000-0x0000000077AE3000-memory.dmpFilesize
4KB
-
memory/4952-32-0x0000000002D10000-0x0000000002D17000-memory.dmpFilesize
28KB
-
memory/4952-3-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB