raccoon | 63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2

General

Target

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Size

687KB
MD5

d4dad82dd4ed06b230151a6496884ff6
SHA1

d4d3017a9188c0087bf65e644a200a9aefbbce1b
SHA256

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2
SHA512

d95ca593907b3552a47f3070def99b2bba6ed1939b8fa598b5e023ee931e4a3fe8c333e3ccf88a00350330abdc6da87eded16f55d19115242b56d14f47be0bf2

Score

10^/10

spyware discovery stealer raccoon evasion trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.4.8 Release Build compiled on Tue Feb 18 21:33:22 2020 Launched at: 2020.03.19 - 13:00:50 GMT Bot_ID: CB3421D8-E2C8-4B12-9D02-76148B2A4ECF_Admin =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - ComputerName: JLKTGBTU - Username: Admin - IP: 154.61.71.13 - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (383 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Extracted

Family

raccoon

Botnet

63b0da3331d966cfbcc1dbb16cf24eac9a5d4e85

C2

http://34.76.15.247/gate/log.php

Attributes

url4cnc
https://drive.google.com/uc?export=download&id=1I7jmFhJY4KCn0dqAcr5L-h-D70KGZkaF

rc4.plain

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Modifies registry class 1 IoCs

Processes:

zIY8IXK4ds.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Local Settings\MuiCache zIY8IXK4ds.exe
Legitimate hosting services abused for malware hosting/C2. 1 TTPs

Web Service
T1102
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Local Settings\MuiCache	zIY8IXK4ds.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe1d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

description	pid	process	target process
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1856 wrote to memory of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
PID 1888 wrote to memory of 1360	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	zIY8IXK4ds.exe
PID 1888 wrote to memory of 1360	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	zIY8IXK4ds.exe
PID 1888 wrote to memory of 1360	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	zIY8IXK4ds.exe
PID 1888 wrote to memory of 1360	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	zIY8IXK4ds.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 272	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	STtLZz5etL.exe
PID 1888 wrote to memory of 1656	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	HUhJwPEvmp.exe
PID 1888 wrote to memory of 1656	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	HUhJwPEvmp.exe
PID 1888 wrote to memory of 1656	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	HUhJwPEvmp.exe
PID 1888 wrote to memory of 1656	1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	HUhJwPEvmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

description	pid	process	target process
PID 1856 set thread context of 1888	1856	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

Loads dropped DLL 8 IoCs

Processes:

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

pid	process
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
1888	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

Executes dropped EXE 3 IoCs

Processes:

zIY8IXK4ds.exeSTtLZz5etL.exeHUhJwPEvmp.exe

pid process

1360 zIY8IXK4ds.exe
272 STtLZz5etL.exe
1656 HUhJwPEvmp.exe

pid	process
1360	zIY8IXK4ds.exe
272	STtLZz5etL.exe
1656	HUhJwPEvmp.exe

Checks for installed software on the system 1 TTPs 28 IoCs

discovery

Query Registry

T1012

Processes:

63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe

C:\Users\Admin\AppData\Local\Temp\63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
"C:\Users\Admin\AppData\Local\Temp\63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1856
- C:\Users\Admin\AppData\Local\Temp\63aa46c2f83941e8517b7fbd05e15f2c2460c0ddeb9cd903a0c58ff2dca380e2.exe
  "{path}"
  2⤵
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Checks for installed software on the system
  PID:1888
- - C:\Users\Admin\AppData\LocalLow\zIY8IXK4ds.exe
    "C:\Users\Admin\AppData\LocalLow\zIY8IXK4ds.exe"
    3⤵
    - Modifies registry class
    - Executes dropped EXE
    PID:1360
- - C:\Users\Admin\AppData\LocalLow\STtLZz5etL.exe
    "C:\Users\Admin\AppData\LocalLow\STtLZz5etL.exe"
    3⤵
    - Executes dropped EXE
    PID:272
- - C:\Users\Admin\AppData\LocalLow\HUhJwPEvmp.exe
    "C:\Users\Admin\AppData\LocalLow\HUhJwPEvmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\HUhJwPEvmp.exe

Download Submit
C:\Users\Admin\AppData\LocalLow\HUhJwPEvmp.exe

Download Submit
C:\Users\Admin\AppData\LocalLow\STtLZz5etL.exe

Download Submit
C:\Users\Admin\AppData\LocalLow\STtLZz5etL.exe

Download Submit
C:\Users\Admin\AppData\LocalLow\zIY8IXK4ds.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\HUhJwPEvmp.exe

Download Submit
\Users\Admin\AppData\LocalLow\STtLZz5etL.exe

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\LocalLow\zIY8IXK4ds.exe

Download Submit
memory/1856-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1888-3-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1888-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads