Analysis
-
max time kernel
50s -
max time network
45s -
platform
windows7_x64 -
resource
win7 -
submitted
31-08-2020 14:41
Static task
static1
Behavioral task
behavioral1
Sample
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe
Resource
win7
Behavioral task
behavioral2
Sample
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe
Resource
win10v200722
General
-
Target
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe
-
Size
780KB
-
MD5
7bfa183848dff9072386834d83d69db8
-
SHA1
e194b3b6e4be2fc445555f60e1c5efd972bd9aec
-
SHA256
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae
-
SHA512
a2a6cc8f672c18d1a9082508a6d86f35e9950dfd00eaa36bdf89ad4264615079532b1b0957c6ee8d8535c39a56cf0933c7247f7693b075600024777e04ed04a0
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Loads dropped DLL 9 IoCs
Processes:
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exepid process 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exedescription pid process target process PID 112 set thread context of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1324 timeout.exe -
Processes:
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exepid process 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.execmd.exedescription pid process target process PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 112 wrote to memory of 1576 112 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe PID 1576 wrote to memory of 1320 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe cmd.exe PID 1576 wrote to memory of 1320 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe cmd.exe PID 1576 wrote to memory of 1320 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe cmd.exe PID 1576 wrote to memory of 1320 1576 34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe cmd.exe PID 1320 wrote to memory of 1324 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1324 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1324 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1324 1320 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe"C:\Users\Admin\AppData\Local\Temp\34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe"C:\Users\Admin\AppData\Local\Temp\34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\34c86d1d51efbc6b487204a734376fe8d99a546c755c95c3cf79d7a678df09ae.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
PID:1324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\nsc2B07.tmp\System.dll
-
memory/1320-13-0x0000000000000000-mapping.dmp
-
memory/1324-14-0x0000000000000000-mapping.dmp
-
memory/1576-3-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/1576-2-0x000000000043FA98-mapping.dmp
-
memory/1576-1-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2040-4-0x000007FEF7FC0000-0x000007FEF823A000-memory.dmpFilesize
2.5MB