Analysis
-
max time kernel
37s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-08-2021 20:55
Static task
static1
Behavioral task
behavioral1
Sample
5707DDADA5B7EA6BEF434CD294FA12E1.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5707DDADA5B7EA6BEF434CD294FA12E1.exe
Resource
win10v20210408
General
-
Target
5707DDADA5B7EA6BEF434CD294FA12E1.exe
-
Size
1.3MB
-
MD5
5707ddada5b7ea6bef434cd294fa12e1
-
SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e
-
SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
-
SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
Malware Config
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Raccoon Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3516-121-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/3516-122-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/3516-123-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
Loads dropped DLL 1 IoCs
Processes:
5707DDADA5B7EA6BEF434CD294FA12E1.exepid process 3516 5707DDADA5B7EA6BEF434CD294FA12E1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5707DDADA5B7EA6BEF434CD294FA12E1.exedescription pid process target process PID 776 set thread context of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3916 3516 WerFault.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe 3916 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
5707DDADA5B7EA6BEF434CD294FA12E1.exeWerFault.exedescription pid process Token: SeDebugPrivilege 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe Token: SeRestorePrivilege 3916 WerFault.exe Token: SeBackupPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 3916 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5707DDADA5B7EA6BEF434CD294FA12E1.exedescription pid process target process PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe PID 776 wrote to memory of 3516 776 5707DDADA5B7EA6BEF434CD294FA12E1.exe 5707DDADA5B7EA6BEF434CD294FA12E1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5707DDADA5B7EA6BEF434CD294FA12E1.exe"C:\Users\Admin\AppData\Local\Temp\5707DDADA5B7EA6BEF434CD294FA12E1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5707DDADA5B7EA6BEF434CD294FA12E1.exeC:\Users\Admin\AppData\Local\Temp\5707DDADA5B7EA6BEF434CD294FA12E1.exe2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 14683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/776-116-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/776-117-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/776-118-0x00000000050B0000-0x0000000005142000-memory.dmpFilesize
584KB
-
memory/776-119-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/776-120-0x0000000005370000-0x0000000005391000-memory.dmpFilesize
132KB
-
memory/3516-121-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3516-122-0x000000000044003F-mapping.dmp
-
memory/3516-123-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB