Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 23:45
Static task
static1
Behavioral task
behavioral1
Sample
67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Resource
win10v2004-20241007-en
General
-
Target
67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
-
Size
1012KB
-
MD5
7a346721a1641a389685b55d07e8eb92
-
SHA1
1e5ba0e54f475a754dad3583e32055a5f1974c90
-
SHA256
67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988
-
SHA512
dbe0f2c02537b8f00f54a3bf2493ba036ab06f74c1bdae789a77c888f0e4534a8b7784ba01a7cc9eee0c1646243df54a6671a3aee09b82566311aaeb9c280482
-
SSDEEP
12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d3y:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5wd
Malware Config
Extracted
oski
scarsa.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
b76017a227a0d879dec7c76613918569d03892fb
-
url4cnc
http://telegka.top/brikitiki
http://telegin.top/brikitiki
https://t.me/brikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Oski family
-
Raccoon Stealer V1 payload 4 IoCs
resource yara_rule behavioral1/memory/2172-44-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral1/memory/2172-38-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral1/memory/2172-52-0x0000000000400000-0x0000000000491000-memory.dmp family_raccoon_v1 behavioral1/memory/2172-71-0x0000000000400000-0x0000000000491000-memory.dmp family_raccoon_v1 -
Raccoon family
-
Executes dropped EXE 4 IoCs
pid Process 2340 Vtergfds.exe 2288 Vereransa.exe 1868 Vtergfds.exe 2768 Vereransa.exe -
Loads dropped DLL 11 IoCs
pid Process 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2340 Vtergfds.exe 2288 Vereransa.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2340 set thread context of 1868 2340 Vtergfds.exe 33 PID 2888 set thread context of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2288 set thread context of 2768 2288 Vereransa.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1668 2768 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vtergfds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vereransa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vtergfds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vereransa.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2340 Vtergfds.exe 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2288 Vereransa.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 2340 Vtergfds.exe 2288 Vereransa.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2340 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 31 PID 2888 wrote to memory of 2340 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 31 PID 2888 wrote to memory of 2340 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 31 PID 2888 wrote to memory of 2340 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 31 PID 2888 wrote to memory of 2288 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 32 PID 2888 wrote to memory of 2288 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 32 PID 2888 wrote to memory of 2288 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 32 PID 2888 wrote to memory of 2288 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 32 PID 2340 wrote to memory of 1868 2340 Vtergfds.exe 33 PID 2340 wrote to memory of 1868 2340 Vtergfds.exe 33 PID 2340 wrote to memory of 1868 2340 Vtergfds.exe 33 PID 2340 wrote to memory of 1868 2340 Vtergfds.exe 33 PID 2340 wrote to memory of 1868 2340 Vtergfds.exe 33 PID 2888 wrote to memory of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2888 wrote to memory of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2888 wrote to memory of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2888 wrote to memory of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2888 wrote to memory of 2172 2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe 34 PID 2288 wrote to memory of 2768 2288 Vereransa.exe 35 PID 2288 wrote to memory of 2768 2288 Vereransa.exe 35 PID 2288 wrote to memory of 2768 2288 Vereransa.exe 35 PID 2288 wrote to memory of 2768 2288 Vereransa.exe 35 PID 2288 wrote to memory of 2768 2288 Vereransa.exe 35 PID 2768 wrote to memory of 1668 2768 Vereransa.exe 37 PID 2768 wrote to memory of 1668 2768 Vereransa.exe 37 PID 2768 wrote to memory of 1668 2768 Vereransa.exe 37 PID 2768 wrote to memory of 1668 2768 Vereransa.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
-
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 8484⤵
- Loads dropped DLL
- Program crash
PID:1668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5bbc3d625038de2cc64cbfdb76e888528
SHA175b19ab88f8c23d0088252e8c725d4ceea56895a
SHA2563b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601
SHA5129014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465
-
Filesize
216KB
MD50a8854ddd119e42c62bf2904efb29c1c
SHA1986ab504ca3cc36fc0418516f26aabc4168224d6
SHA25669f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
SHA512905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7