Analysis
-
max time kernel
54s -
max time network
56s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:24
Static task
static1
Behavioral task
behavioral1
Sample
08a433dcb4d318008eb98a700a267f43.exe
Resource
win7
Behavioral task
behavioral2
Sample
08a433dcb4d318008eb98a700a267f43.exe
Resource
win10
General
-
Target
08a433dcb4d318008eb98a700a267f43.exe
-
Size
580KB
-
MD5
08a433dcb4d318008eb98a700a267f43
-
SHA1
e920ca841d6c2ea3f7a5d15b7ac49e9e1d3442cd
-
SHA256
b47f74419de5db79da95d6d39d6e7e0da43a2bb2dc5770a0ee3715bcb2d76299
-
SHA512
61895c47d22e1f02b668f3be1e1484d88ca3ce7d5a59ace5a8c4efbfd89f97bf7d1ea625df924504f3c845f1644078f6024383373d786e230bee8f40b1000089
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
08a433dcb4d318008eb98a700a267f43.exefilingood.execmd.exedescription pid process target process PID 1324 wrote to memory of 656 1324 08a433dcb4d318008eb98a700a267f43.exe filingood.exe PID 1324 wrote to memory of 656 1324 08a433dcb4d318008eb98a700a267f43.exe filingood.exe PID 1324 wrote to memory of 656 1324 08a433dcb4d318008eb98a700a267f43.exe filingood.exe PID 1324 wrote to memory of 656 1324 08a433dcb4d318008eb98a700a267f43.exe filingood.exe PID 656 wrote to memory of 1600 656 filingood.exe cmd.exe PID 656 wrote to memory of 1600 656 filingood.exe cmd.exe PID 656 wrote to memory of 1600 656 filingood.exe cmd.exe PID 656 wrote to memory of 1600 656 filingood.exe cmd.exe PID 1600 wrote to memory of 1916 1600 cmd.exe timeout.exe PID 1600 wrote to memory of 1916 1600 cmd.exe timeout.exe PID 1600 wrote to memory of 1916 1600 cmd.exe timeout.exe PID 1600 wrote to memory of 1916 1600 cmd.exe timeout.exe -
Executes dropped EXE 1 IoCs
Processes:
filingood.exepid process 656 filingood.exe -
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 10 IoCs
Processes:
08a433dcb4d318008eb98a700a267f43.exefilingood.exepid process 1324 08a433dcb4d318008eb98a700a267f43.exe 1324 08a433dcb4d318008eb98a700a267f43.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe 656 filingood.exe -
Checks for installed software on the system 1 TTPs 30 IoCs
Processes:
filingood.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName filingood.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName filingood.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName filingood.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName filingood.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName filingood.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
08a433dcb4d318008eb98a700a267f43.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 08a433dcb4d318008eb98a700a267f43.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 08a433dcb4d318008eb98a700a267f43.exe -
Processes:
08a433dcb4d318008eb98a700a267f43.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 08a433dcb4d318008eb98a700a267f43.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 08a433dcb4d318008eb98a700a267f43.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1916 timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a433dcb4d318008eb98a700a267f43.exe"C:\Users\Admin\AppData\Local\Temp\08a433dcb4d318008eb98a700a267f43.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exefilingood.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
- Checks for installed software on the system
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe
-
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Roaming\indepopede\filingood.exe
-
\Users\Admin\AppData\Roaming\indepopede\filingood.exe
-
memory/656-4-0x0000000000000000-mapping.dmp
-
memory/656-7-0x00000000045C0000-0x00000000045D1000-memory.dmpFilesize
68KB
-
memory/656-6-0x00000000042D9000-0x00000000042DA000-memory.dmpFilesize
4KB
-
memory/1324-0-0x00000000002B9000-0x00000000002BA000-memory.dmpFilesize
4KB
-
memory/1324-1-0x0000000004320000-0x0000000004331000-memory.dmpFilesize
68KB
-
memory/1600-17-0x0000000000000000-mapping.dmp
-
memory/1916-18-0x0000000000000000-mapping.dmp