Analysis

  • max time kernel
    17s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    14-08-2021 21:25

General

  • Target

    85fb42a57db662ade20dbc90dd2abccb.exe

  • Size

    462KB

  • MD5

    85fb42a57db662ade20dbc90dd2abccb

  • SHA1

    eb1718103d030704bfb0959bb43f38ece27f94bd

  • SHA256

    d260c05305ca6eda79e4aa38377a16df0bc5861ee1f79187c8838d93a06f2175

  • SHA512

    12c43b3c25f7c594f38202ad46f655caeb98ea33aba4801cfcce84f98adcef406201b950e02b5562e330d86e5cf9e6dd02f0730df43b87f0c6b430ef9ba396c9

Malware Config

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • Raccoon Stealer Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85fb42a57db662ade20dbc90dd2abccb.exe
    "C:\Users\Admin\AppData\Local\Temp\85fb42a57db662ade20dbc90dd2abccb.exe"
    1⤵
      PID:900
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 732
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 744
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 844
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 872
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 852
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2368

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/900-114-0x0000000004990000-0x0000000004A21000-memory.dmp
      Filesize

      580KB

    • memory/900-115-0x0000000000400000-0x0000000002D01000-memory.dmp
      Filesize

      41.0MB