Overview

overview

10

Static

static

SecuriteIn...24.exe

windows7_x64

10

SecuriteIn...24.exe

windows10_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    23-02-2021 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe

  • Size

    542KB

  • MD5

    060bd14ae501d8dae94cc73672ab195b

  • SHA1

    e16be2044b73bfb717d92d13968eac473d64b8fc

  • SHA256

    757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0

  • SHA512

    4c39ee69a9e1f8511c8c37a714cd2e9a44f5223fa9c356a8c0d466d273caeba2c391107822111de63ebfbca53b4a4601e90f03d5317914dc53192ef8fef28704

Score
10/10
raccoonaef61793e586ca15c24106ac17a2a83a30fb0a25stealer

Malware Config

Extracted

Family

raccoon

Botnet

aef61793e586ca15c24106ac17a2a83a30fb0a25

Attributes
  • url4cnc

    https://tttttt.me/h_scroogenews_1

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe"
    1⤵
      PID:4688
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 736
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 852
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 740
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 712
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:68
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 864
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:636

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/68-14-0x0000000004F30000-0x0000000004F31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/636-17-0x00000000047D0000-0x00000000047D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3012-5-0x0000000004E50000-0x0000000004E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3012-6-0x0000000004E50000-0x0000000004E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3232-8-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4068-11-0x00000000043F0000-0x00000000043F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4688-2-0x0000000000C40000-0x0000000000C41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4688-3-0x0000000000AA0000-0x0000000000B32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4688-4-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

      Download