Analysis
-
max time kernel
145s -
max time network
92s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
04-08-2020 07:08
Static task
static1
Behavioral task
behavioral1
Sample
2e044975f0099d6ff4ee68fb408ffcdd.exe
Resource
win7
Behavioral task
behavioral2
Sample
2e044975f0099d6ff4ee68fb408ffcdd.exe
Resource
win10v200722
General
-
Target
2e044975f0099d6ff4ee68fb408ffcdd.exe
-
Size
1.6MB
-
MD5
2e044975f0099d6ff4ee68fb408ffcdd
-
SHA1
8d79b0160f53e4846be6e6dbf106d765a674d6fe
-
SHA256
e6d9daa5c99c31e60e4a307e69f3ce8f57f77292612989c5c1daba3a871c5fd2
-
SHA512
a1412ff1c55449e8dcd1efeacf96a720e806190885bbcef701979010280f727a55e84b15d8434db5623f8c953bae97366fefd08569133e609beb9fd7fd512817
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
2e044975f0099d6ff4ee68fb408ffcdd.exepid process 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2e044975f0099d6ff4ee68fb408ffcdd.execmd.exedescription pid process target process PID 3956 wrote to memory of 2104 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe cmd.exe PID 3956 wrote to memory of 2104 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe cmd.exe PID 3956 wrote to memory of 2104 3956 2e044975f0099d6ff4ee68fb408ffcdd.exe cmd.exe PID 2104 wrote to memory of 2408 2104 cmd.exe timeout.exe PID 2104 wrote to memory of 2408 2104 cmd.exe timeout.exe PID 2104 wrote to memory of 2408 2104 cmd.exe timeout.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2408 timeout.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e044975f0099d6ff4ee68fb408ffcdd.exe"C:\Users\Admin\AppData\Local\Temp\2e044975f0099d6ff4ee68fb408ffcdd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2e044975f0099d6ff4ee68fb408ffcdd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:2408