Overview

overview

10

Static

static

system32.bin.exe

windows7_x64

10

system32.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    23-10-2020 23:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    system32.bin.exe

  • Size

    465KB

  • MD5

    049ef18418affcd542d9aa545bb07ee3

  • SHA1

    994b2b316ed112d81c697294405dcf15f9193deb

  • SHA256

    4d056b87049ec7fce672b40190bf8b5f9185395b7313d05bc196a655e7fe0c7a

  • SHA512

    ad0b3ab61327d0cc802d3512db80a60be264a52b8f0f750c9d83b4750d1373c59466d399da8650523d6e99723d75e962176ece9f669310f464844c5c2370886c

Score
10/10
persistencestealerraccoon

Malware Config

Extracted

Family

raccoon

Attributes
  • url4cnc

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

b240f186dfcd9a0141345e239b4ac51800830ac0

Attributes
  • url4cnc

    https://drive.google.com/uc?export=download&id=19HMmBPaIPyhdlvzB7YPOENIFHwLz8Kkc

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • ServiceHost packer 8 IoCs

    Detects ServiceHost packer used for .NET malware

  • Blacklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies service 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 95 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\system32.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\system32.bin.exe"
    1⤵
    • Loads dropped DLL
    • Modifies service
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Blacklisted process makes network request
      • Drops file in Windows directory
      PID:1756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "COPY /Y /B "C:\Users\Admin\AppData\Local\Temp\system32.bin.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\System32.exe""
        3⤵
          PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "COPY /Y /B "C:\Users\Admin\AppData\Local\Temp\a5961048.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk""
          3⤵
          • Drops startup file
          PID:2300
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1456
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
        PID:3764
        • C:\Windows\System32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""
          2⤵
            PID:3416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3840

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a5961048.lnk
          MD5

          4b3fa9f8eb3c65a7f557523a071cc969

          SHA1

          eee0dc42a9c6d6d218178885b79355eb7ef9d10e

          SHA256

          1215bf40103a0f012d82378d9f2f6349156334e8c16c70e54dbdd080a9041b17

          SHA512

          1702aa4c9d5225b62b8103a6899cd9a560918aaf9c6c8b67ed926795e996680c4a229e722a38c298532753fb23fb2256a351c42b759da2c6500f4a9e19e55812

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\System32.exe
          MD5

          049ef18418affcd542d9aa545bb07ee3

          SHA1

          994b2b316ed112d81c697294405dcf15f9193deb

          SHA256

          4d056b87049ec7fce672b40190bf8b5f9185395b7313d05bc196a655e7fe0c7a

          SHA512

          ad0b3ab61327d0cc802d3512db80a60be264a52b8f0f750c9d83b4750d1373c59466d399da8650523d6e99723d75e962176ece9f669310f464844c5c2370886c

          Download Submit
        • \Users\Admin\AppData\Local\Temp\etchings.dll
          MD5

          9aba0224ea651e03776eb21671f8a743

          SHA1

          87aa10ba47a85b2124bf77d00182d714d9cfb233

          SHA256

          51c3bfd80d36a77b97d643dbc66d2b6a3662e5316d7ba357431d562f96977725

          SHA512

          8c80d045fa4f7362fa3c31c7515d2464a32eb2685bd8d05d156e177d56d1ac703f950f35f138914f5800fdd305ef8388a804039a510628716f2cb3252ab7a239

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst35DC.tmp\System.dll
          MD5

          0d7ad4f45dc6f5aa87f606d0331c6901

          SHA1

          48df0911f0484cbe2a8cdd5362140b63c41ee457

          SHA256

          3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

          SHA512

          c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

          Download Submit
        • memory/1640-27-0x0000000004E20000-0x0000000004E21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1640-18-0x0000000004930000-0x0000000004931000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1640-15-0x0000000004530000-0x0000000004531000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1640-16-0x0000000004530000-0x0000000004531000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-25-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-24-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-23-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-21-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-22-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-20-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-5-0x0000000000400000-0x0000000000485000-memory.dmp
          Filesize

          532KB

          Download
        • memory/1756-19-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-26-0x0000000000000000-mapping.dmp
          Download
        • memory/2232-6-0x0000000000000000-mapping.dmp
          Download
        • memory/2300-7-0x0000000000000000-mapping.dmp
          Download
        • memory/3416-10-0x0000000000000000-mapping.dmp
          Download
        • memory/3840-14-0x0000024155180000-0x0000024155181000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3840-13-0x000002413AC60000-0x000002413AC61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3840-12-0x00007FFA515B0000-0x00007FFA51F9C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/3840-11-0x0000000000000000-mapping.dmp
          Download
        • memory/3900-3-0x0000000002D60000-0x0000000002DE5000-memory.dmp
          Filesize

          532KB

          Download
        • memory/3900-2-0x0000000002240000-0x0000000002251000-memory.dmp
          Filesize

          68KB

          Download