Overview

overview

10

Static

static

9ae5b3d892...ac.exe

windows7_x64

10

9ae5b3d892...ac.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ae5b3d8924d251ed4799a1223da2aac.exe

  • Size

    514KB

  • MD5

    f419548a046f3238df9d95d40e3a8fdd

  • SHA1

    76fda035703781cfe5f785b8f230e7db6eef2abf

  • SHA256

    86c1ba04c2400da557124c31d3366eb792080a254e6166e7a426a27b0cd16693

  • SHA512

    cca8b94d53abde68c7fcf83fa246674cea3c607e65164d59824ec940b720560c33574c1e2e40c811667f9c685d61017eb27ca03bf671a159c4d8066ccf12f36d

Score
10/10
raccoonstealer

Malware Config

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 98 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe
    "C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe"
    1⤵
      PID:648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 740
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 816
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 896
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 908
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1192
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1144
        2⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 644
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:4064

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/648-0-0x0000000002536000-0x0000000002537000-memory.dmp
      Filesize

      4KB

      Download
    • memory/648-1-0x0000000004250000-0x0000000004251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-72-0x0000000005050000-0x0000000005051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-69-0x0000000004820000-0x0000000004821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1436-57-0x00000000043F0000-0x00000000043F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1436-60-0x0000000004930000-0x0000000004931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1924-76-0x00000000053B0000-0x00000000053B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1924-73-0x0000000004C70000-0x0000000004C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1976-64-0x0000000005190000-0x0000000005191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1976-61-0x0000000004B60000-0x0000000004B61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2680-6-0x0000000005360000-0x0000000005361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2680-3-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2680-2-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4064-77-0x0000000004620000-0x0000000004621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4064-80-0x00000000050A0000-0x00000000050A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4088-65-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4088-68-0x0000000005520000-0x0000000005521000-memory.dmp
      Filesize

      4KB

      Download