Analysis
-
max time kernel
82s -
max time network
84s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
05-08-2020 15:07
Static task
static1
Behavioral task
behavioral1
Sample
c31483438d7046d9759d384a85dab139.exe
Resource
win7
Behavioral task
behavioral2
Sample
c31483438d7046d9759d384a85dab139.exe
Resource
win10v200722
General
-
Target
c31483438d7046d9759d384a85dab139.exe
-
Size
1.3MB
-
MD5
c31483438d7046d9759d384a85dab139
-
SHA1
a6731f7a7920d82dbb5ae271311224f0e0678215
-
SHA256
e86316850d05ff4338c3b5bcc2e0c195ae9b7d5ed2b87578de537ab911af88e6
-
SHA512
dd90ee6813fbb4c4904c4ba4cb6668245364c4647e28c609a189eae418ad9ee47609deb8d6e87d67579e7627381319a1caf774106b2cfcff60498e8fed3c2730
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
c31483438d7046d9759d384a85dab139.exepid process 3952 c31483438d7046d9759d384a85dab139.exe 3952 c31483438d7046d9759d384a85dab139.exe 3952 c31483438d7046d9759d384a85dab139.exe 3952 c31483438d7046d9759d384a85dab139.exe 3952 c31483438d7046d9759d384a85dab139.exe 3952 c31483438d7046d9759d384a85dab139.exe -
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c31483438d7046d9759d384a85dab139.execmd.exedescription pid process target process PID 3952 wrote to memory of 852 3952 c31483438d7046d9759d384a85dab139.exe cmd.exe PID 3952 wrote to memory of 852 3952 c31483438d7046d9759d384a85dab139.exe cmd.exe PID 3952 wrote to memory of 852 3952 c31483438d7046d9759d384a85dab139.exe cmd.exe PID 852 wrote to memory of 348 852 cmd.exe timeout.exe PID 852 wrote to memory of 348 852 cmd.exe timeout.exe PID 852 wrote to memory of 348 852 cmd.exe timeout.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 348 timeout.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31483438d7046d9759d384a85dab139.exe"C:\Users\Admin\AppData\Local\Temp\c31483438d7046d9759d384a85dab139.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c31483438d7046d9759d384a85dab139.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:348