Overview

overview

10

Static

static

out.exe

windows7_x64

10

out.exe

windows10_x64

10

Resubmissions

27-02-2020 14:25

200227-3wh35qrwk6 10

20-02-2020 19:34

200220-hlck41efds 10

Analysis

  • max time kernel
    122s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    27-02-2020 14:25

Sharing

Copy URL
Twitter E-mail

General

  • Target

    out.exe

  • Size

    439KB

  • MD5

    dc47c83aa99bb69fd38e73b3554afddb

  • SHA1

    3a6db3a80fdcd23ecde4b07404496cf6dcc481b0

  • SHA256

    3e43cb34fdc8fc2ba11d51b1c157a76296e34c2ad541f60cc9d4459720b3893d

  • SHA512

    b509e796f4183f730a74656268890ecefc6d7b554137fc9632225666616a8ba566a680ce0295aad32ca9039195c62e1388fba4ea9de2efcb95bfd41e55034773

Score
10/10
stealerraccoon

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 70 IoCs
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Program crash 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\out.exe
    "C:\Users\Admin\AppData\Local\Temp\out.exe"
    1⤵
      PID:3996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 716
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Program crash
        PID:3432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 828
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Program crash
        PID:2804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 900
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Program crash
        PID:3308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 724
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Program crash
        PID:3136
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1184
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Program crash
        PID:3484

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2804-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2804-10-0x0000000005690000-0x0000000005691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3136-64-0x0000000004B10000-0x0000000004B11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3136-67-0x0000000005140000-0x0000000005141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3308-60-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3308-63-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3432-3-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3432-5-0x00000000053F0000-0x00000000053F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3432-2-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3484-68-0x0000000004680000-0x0000000004681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3484-71-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3996-1-0x0000000003C40000-0x0000000003C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3996-0-0x00000000039B1000-0x00000000039B2000-memory.dmp

      Filesize

      4KB

      Download