Overview

overview

10

Static

static

SecuriteIn...46.exe

windows7_x64

10

SecuriteIn...46.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    23-02-2021 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe

  • Size

    542KB

  • MD5

    e48ba1147b75508b7f58cace584373cb

  • SHA1

    b24be163878f851e0b9bc5da8967879d5ff3d846

  • SHA256

    3d3112ce7c1a80e0378b15c7084b1b49a9805a5e47a85a97acdd7841d0a9b40b

  • SHA512

    5874e76db5ea79bf7128d50f80c6f9c22d79fd78f75b72a2db6131a7daa743f5d60e15f7af6a8767eaceec6dfb84b55a1c8f4bb57688a674aba88035f06b7060

Score
10/10
raccoon99fdcb30af520f176f0e14e858c8bb23c13330d9stealer

Malware Config

Extracted

Family

raccoon

Botnet

99fdcb30af520f176f0e14e858c8bb23c13330d9

Attributes
  • url4cnc

    https://tttttt.me/jrrand0mer

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe"
    1⤵
      PID:8
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 740
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 852
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 832
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 872
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 836
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/8-2-0x0000000000C90000-0x0000000000C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/8-3-0x00000000009A0000-0x0000000000A32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/8-4-0x0000000000400000-0x0000000000494000-memory.dmp
      Filesize

      592KB

      Download
    • memory/396-14-0x00000000044F0000-0x00000000044F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1772-5-0x0000000004F00000-0x0000000004F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1772-6-0x0000000004F00000-0x0000000004F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1936-17-0x0000000004E20000-0x0000000004E21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2160-8-0x0000000004850000-0x0000000004851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-11-0x0000000004910000-0x0000000004911000-memory.dmp
      Filesize

      4KB

      Download