Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-07-2021 10:23

General

  • Target

    usfive_20210703-095023.exe

  • Size

    466KB

  • MD5

    d6b6f1ab249f9528546460eee71d431b

  • SHA1

    3110e71aab808c5dffe7be938187681f1a5da029

  • SHA256

    80dfb1cf38ee1f0a1714327db6ba9f6ddb8195aedf6c7f63a73cfafe66896aad

  • SHA512

    f26a6e4b134f58031eb53ae84798c9c2a7adec6bac79f90932429aac35ec805c5f6814515be358d578717bd6506ddb476e91ec4f420992a17b68fca0f26cd969

Malware Config

Extracted

Family

raccoon

Botnet

7ea5512058d479def2eeb58bd2231423ad2fdf37

Attributes
  • url4cnc

    https://telete.in/h_electricryptors2

rc4.plain
rc4.plain

Signatures

  • DarkVNC

    DarkVNC is a malicious version of the famous VNC software.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • DarkVNC Payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe
    "C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Users\Admin\AppData\Local\Temp\anHQDYXTle.exe
      "C:\Users\Admin\AppData\Local\Temp\anHQDYXTle.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        3⤵
          PID:4084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 488
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\usfive_20210703-095023.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:1580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/516-115-0x0000000000400000-0x000000000061F000-memory.dmp

      Filesize

      2.1MB

    • memory/516-114-0x0000000000AA0000-0x0000000000B31000-memory.dmp

      Filesize

      580KB

    • memory/2680-128-0x0000000000AB0000-0x0000000000B38000-memory.dmp

      Filesize

      544KB

    • memory/2680-129-0x0000000000400000-0x000000000060F000-memory.dmp

      Filesize

      2.1MB

    • memory/4084-130-0x0000012939D40000-0x0000012939D69000-memory.dmp

      Filesize

      164KB

    • memory/4084-131-0x0000012939F30000-0x0000012939FFA000-memory.dmp

      Filesize

      808KB