Analysis Overview
SHA256
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
Threat Level: Known bad
The file be1aaef37143496d75cb83643ff63f8c was found to be: Known bad.
Malicious Activity Summary
Azorult
Raccoon Stealer V1 payload
Raccoon
Oski
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-10 08:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 08:12
Reported
2024-03-10 08:15
Platform
win7-20231129-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 08:12
Reported
2024-03-10 08:15
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4952 set thread context of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe | C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe |
| PID 4860 set thread context of 3340 | N/A | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe |
| PID 3468 set thread context of 3208 | N/A | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcxfse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbvjns.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3340 -ip 3340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1280
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | mazooyaar.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | mazoyer.ac.ug | udp |
| DE | 185.53.177.54:443 | telete.in | tcp |
| US | 8.8.8.8:53 | mazoyer.ac.ug | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.177.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/4952-2-0x0000000077AE2000-0x0000000077AE3000-memory.dmp
memory/4952-3-0x0000000000800000-0x0000000000801000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
| MD5 | 2c065af519ad099f60a7286e3f0dc1d3 |
| SHA1 | 15b7a2da624a9cb2e7750dfc17ca853520e99e01 |
| SHA256 | 822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17 |
| SHA512 | f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a |
C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
| MD5 | b0ba9efb326279b8afe5e8a2656588ea |
| SHA1 | eb42914b53580850dd56dcf6ddc80334d3bfcb45 |
| SHA256 | 6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7 |
| SHA512 | cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a |
memory/4860-29-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/3468-31-0x0000000000980000-0x0000000000981000-memory.dmp
memory/4952-32-0x0000000002D10000-0x0000000002D17000-memory.dmp
memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp
memory/3468-36-0x0000000000990000-0x0000000000997000-memory.dmp
memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp
memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3340-40-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp
memory/4860-34-0x0000000000910000-0x0000000000917000-memory.dmp
memory/4860-49-0x0000000000910000-0x0000000000917000-memory.dmp
memory/4944-45-0x0000000000610000-0x0000000000611000-memory.dmp
memory/4944-43-0x0000000077AE2000-0x0000000077AE3000-memory.dmp
memory/3208-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3340-44-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3340-50-0x0000000077AE2000-0x0000000077AE3000-memory.dmp
memory/3208-54-0x0000000077AE2000-0x0000000077AE3000-memory.dmp
memory/3208-55-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3208-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3340-52-0x0000000002050000-0x0000000002051000-memory.dmp
memory/3208-56-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/3208-57-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3208-58-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3340-62-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3340-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp
memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp