Overview

overview

10

Static

static

Setup (1).exe

windows11_x64

10

Setup (10).exe

windows11_x64

10

Setup (11).exe

windows11_x64

10

Setup (12).exe

windows11_x64

10

Setup (13).exe

windows11_x64

10

Setup (14).exe

windows11_x64

10

Setup (15).exe

windows11_x64

10

Setup (16).exe

windows11_x64

10

Setup (17).exe

windows11_x64

10

Setup (18).exe

windows11_x64

10

Setup (19).exe

windows11_x64

10

Setup (2).exe

windows11_x64

10

Setup (20).exe

windows11_x64

10

Setup (21).exe

windows11_x64

10

Setup (22).exe

windows11_x64

10

Setup (23).exe

windows11_x64

10

Setup (24).exe

windows11_x64

10

Setup (25).exe

windows11_x64

10

Setup (26).exe

windows11_x64

10

Setup (27).exe

windows11_x64

10

Setup (28).exe

windows11_x64

10

Setup (29).exe

windows11_x64

10

Setup (3).exe

windows11_x64

10

Setup (30).exe

windows11_x64

10

Setup (31).exe

windows11_x64

10

Setup (4).exe

windows11_x64

10

Setup (5).exe

windows11_x64

10

Setup (6).exe

windows11_x64

10

Setup (7).exe

windows11_x64

10

Setup (8).exe

windows11_x64

10

Setup (9).exe

windows11_x64

10

Setup.exe

windows11_x64

10

Resubmissions

15-10-2024 15:36

241015-s1zlzasdkc 10

01-07-2024 18:32

240701-w6yteawhmq 10

01-07-2024 14:52

240701-r82wmaxdnd 10

01-07-2024 14:52

240701-r8syqa1dpp 10

11-03-2024 21:22

240311-z8dsssgg58 10

01-09-2021 13:18

210901-5bmxjspa5s 10

01-09-2021 13:04

210901-te4btfspqa 10

01-09-2021 05:12

210901-4wnkwm1p3j 10

31-08-2021 21:47

210831-41rp97dma2 10

31-08-2021 19:51

210831-359awwatje 10

Analysis

  • max time kernel
    89s
  • max time network
    1750s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    31-08-2021 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup (20).exe

  • Size

    631KB

  • MD5

    cb927513ff8ebff4dd52a47f7e42f934

  • SHA1

    0de47c02a8adc4940a6c18621b4e4a619641d029

  • SHA256

    fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

  • SHA512

    988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score
10/10
raccoon10c753321b3ff323727f510579572aa4c5ea00cbevasionstealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

10c753321b3ff323727f510579572aa4c5ea00cb

Attributes
  • url4cnc

    https://telete.in/bimboDinotrex

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 23 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 40 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup (20).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (20).exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Users\Admin\Documents\qEeoHDVkLYmYym4VHnE58V3L.exe
      "C:\Users\Admin\Documents\qEeoHDVkLYmYym4VHnE58V3L.exe"
      2⤵
      • Executes dropped EXE
      PID:3712
    • C:\Users\Admin\Documents\357gWJaaD8BhZ8bt1RIRIiDE.exe
      "C:\Users\Admin\Documents\357gWJaaD8BhZ8bt1RIRIiDE.exe"
      2⤵
      • Executes dropped EXE
      PID:3820
    • C:\Users\Admin\Documents\pQCArMOtRn8oC3TZ4VUJH3eR.exe
      "C:\Users\Admin\Documents\pQCArMOtRn8oC3TZ4VUJH3eR.exe"
      2⤵
      • Executes dropped EXE
      PID:3916
    • C:\Users\Admin\Documents\MwhRIfe9CTwb4YiVWdsmr5WC.exe
      "C:\Users\Admin\Documents\MwhRIfe9CTwb4YiVWdsmr5WC.exe"
      2⤵
      • Executes dropped EXE
      PID:4736
    • C:\Users\Admin\Documents\4tIlVMs5C03eEuhEiglEnB5r.exe
      "C:\Users\Admin\Documents\4tIlVMs5C03eEuhEiglEnB5r.exe"
      2⤵
      • Executes dropped EXE
      PID:2996
    • C:\Users\Admin\Documents\JhKU4pe2uswJZa4xjKZRH63h.exe
      "C:\Users\Admin\Documents\JhKU4pe2uswJZa4xjKZRH63h.exe"
      2⤵
      • Executes dropped EXE
      PID:4412
    • C:\Users\Admin\Documents\aboK8jZ_XEfz93_DAdlxxhgK.exe
      "C:\Users\Admin\Documents\aboK8jZ_XEfz93_DAdlxxhgK.exe"
      2⤵
      • Executes dropped EXE
      PID:1600
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
        3⤵
          PID:3552
      • C:\Users\Admin\Documents\RydnLyYmoI6ANnLoFqfFIDTo.exe
        "C:\Users\Admin\Documents\RydnLyYmoI6ANnLoFqfFIDTo.exe"
        2⤵
        • Executes dropped EXE
        PID:4896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 276
          3⤵
          • Drops file in Windows directory
          • Program crash
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
      • C:\Users\Admin\Documents\JTPhsXPu43F8_nLNvWU98UXk.exe
        "C:\Users\Admin\Documents\JTPhsXPu43F8_nLNvWU98UXk.exe"
        2⤵
        • Executes dropped EXE
        PID:3976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 272
          3⤵
          • Program crash
          PID:3296
      • C:\Users\Admin\Documents\cVhKyH0S1pNhb3p_2K_2C83h.exe
        "C:\Users\Admin\Documents\cVhKyH0S1pNhb3p_2K_2C83h.exe"
        2⤵
        • Executes dropped EXE
        PID:4404
      • C:\Users\Admin\Documents\0G_oZ4A26rNd2sEAkeuPPe8B.exe
        "C:\Users\Admin\Documents\0G_oZ4A26rNd2sEAkeuPPe8B.exe"
        2⤵
        • Executes dropped EXE
        PID:1480
      • C:\Users\Admin\Documents\GQfc9lb4uh8KHzTSjT2hZMl7.exe
        "C:\Users\Admin\Documents\GQfc9lb4uh8KHzTSjT2hZMl7.exe"
        2⤵
        • Executes dropped EXE
        PID:4136
      • C:\Users\Admin\Documents\aFEr3n4UhnnigLBnws3AgDir.exe
        "C:\Users\Admin\Documents\aFEr3n4UhnnigLBnws3AgDir.exe"
        2⤵
        • Executes dropped EXE
        PID:3992
      • C:\Users\Admin\Documents\NI22fLLmoEW0efMdjGctFFJh.exe
        "C:\Users\Admin\Documents\NI22fLLmoEW0efMdjGctFFJh.exe"
        2⤵
        • Executes dropped EXE
        PID:1548
      • C:\Users\Admin\Documents\yv_Xy8avOlEotjqgnCOSDteL.exe
        "C:\Users\Admin\Documents\yv_Xy8avOlEotjqgnCOSDteL.exe"
        2⤵
        • Executes dropped EXE
        PID:1132
      • C:\Users\Admin\Documents\ViJzT0ETqkk3EdejaeVGsHOS.exe
        "C:\Users\Admin\Documents\ViJzT0ETqkk3EdejaeVGsHOS.exe"
        2⤵
        • Executes dropped EXE
        PID:932
      • C:\Users\Admin\Documents\BJNeVZLZ6gXzTBt5EEA7oqiK.exe
        "C:\Users\Admin\Documents\BJNeVZLZ6gXzTBt5EEA7oqiK.exe"
        2⤵
        • Executes dropped EXE
        PID:500
      • C:\Users\Admin\Documents\d0EuJ7lURMXwhEJ17y29m59_.exe
        "C:\Users\Admin\Documents\d0EuJ7lURMXwhEJ17y29m59_.exe"
        2⤵
        • Executes dropped EXE
        PID:3128
        • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
          "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
          3⤵
            PID:3628
          • C:\Program Files (x86)\Company\NewProduct\inst001.exe
            "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
            3⤵
              PID:2920
            • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
              "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
              3⤵
                PID:2276
            • C:\Users\Admin\Documents\V7RCvwBSnIC0JTOLbetcr89A.exe
              "C:\Users\Admin\Documents\V7RCvwBSnIC0JTOLbetcr89A.exe"
              2⤵
              • Executes dropped EXE
              PID:880
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                3⤵
                • Creates scheduled task(s)
                PID:800
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                3⤵
                • Creates scheduled task(s)
                PID:3108
            • C:\Users\Admin\Documents\0CpY4NIL0hC7Ke9H2pKqPtp9.exe
              "C:\Users\Admin\Documents\0CpY4NIL0hC7Ke9H2pKqPtp9.exe"
              2⤵
              • Executes dropped EXE
              PID:3012
              • C:\Users\Admin\Documents\0CpY4NIL0hC7Ke9H2pKqPtp9.exe
                "C:\Users\Admin\Documents\0CpY4NIL0hC7Ke9H2pKqPtp9.exe"
                3⤵
                  PID:3928
              • C:\Users\Admin\Documents\F16LFWU0jEzg9rkyjbQWJVbW.exe
                "C:\Users\Admin\Documents\F16LFWU0jEzg9rkyjbQWJVbW.exe"
                2⤵
                • Executes dropped EXE
                PID:1556
              • C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe
                "C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe"
                2⤵
                • Executes dropped EXE
                PID:1612
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe ( CREAteobjecT ( "wScRiPT.ShElL" ). RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe"" ) do taskkill /iM ""%~NXm"" -F" , 0 , TRUE ) )
                  3⤵
                    PID:3684
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ( "C:\Users\Admin\Documents\NE7rBNACqwf_jiiC76iHW_IH.exe" ) do taskkill /iM "%~NXm" -F
                      4⤵
                        PID:2432
                  • C:\Users\Admin\Documents\5Mwd5XJAOCweLHOFFD9VtmEM.exe
                    "C:\Users\Admin\Documents\5Mwd5XJAOCweLHOFFD9VtmEM.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:2176
                  • C:\Users\Admin\Documents\do42QgN8AErqMmcU84dscQ2f.exe
                    "C:\Users\Admin\Documents\do42QgN8AErqMmcU84dscQ2f.exe"
                    2⤵
                      PID:3224
                  • C:\Windows\System32\sihclient.exe
                    C:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.2
                    1⤵
                    • Modifies data under HKEY_USERS
                    PID:4552
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4896 -ip 4896
                    1⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    PID:2172
                  • C:\Users\Admin\AppData\Local\Temp\is-H2J4N.tmp\do42QgN8AErqMmcU84dscQ2f.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-H2J4N.tmp\do42QgN8AErqMmcU84dscQ2f.tmp" /SL5="$10284,138429,56832,C:\Users\Admin\Documents\do42QgN8AErqMmcU84dscQ2f.exe"
                    1⤵
                      PID:4432
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      1⤵
                        PID:1544
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3976 -ip 3976
                        1⤵
                          PID:4556
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1132 -ip 1132
                          1⤵
                            PID:1976

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/500-252-0x0000000000A70000-0x0000000000A71000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/500-281-0x0000000005610000-0x0000000005611000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/932-230-0x00000000006F0000-0x0000000000C87000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/1132-289-0x0000000000800000-0x000000000082F000-memory.dmp

                            Filesize

                            188KB

                            Download

                          • memory/1480-221-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1480-207-0x0000000000530000-0x0000000000531000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1480-224-0x00000000025B0000-0x00000000025C9000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/2176-239-0x0000000000F60000-0x0000000000F62000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2176-220-0x0000000000760000-0x0000000000761000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2176-229-0x0000000000F30000-0x0000000000F46000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/2920-287-0x0000000001360000-0x0000000001370000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2996-279-0x0000000004F60000-0x0000000004F61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2996-245-0x00000000003F0000-0x00000000003F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3224-236-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/3916-249-0x0000000000D50000-0x0000000000D51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3916-276-0x0000000005910000-0x0000000005911000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3976-259-0x0000000004390000-0x0000000004CB6000-memory.dmp

                            Filesize

                            9.1MB

                            Download

                          • memory/3992-261-0x00000000052A0000-0x00000000052A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3992-271-0x0000000005220000-0x0000000005221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3992-272-0x0000000005220000-0x0000000005296000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/3992-242-0x00000000008F0000-0x00000000008F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4136-211-0x0000000000620000-0x0000000000621000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4136-238-0x00000000052B0000-0x00000000052B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4136-234-0x0000000005E20000-0x0000000005E21000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-206-0x00000000006D0000-0x00000000006D1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-226-0x00000000052B0000-0x00000000052B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-253-0x0000000005420000-0x0000000005421000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-280-0x0000000005540000-0x0000000005556000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/4412-219-0x00000000051A0000-0x00000000051A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-215-0x0000000005670000-0x0000000005671000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4412-240-0x00000000050C0000-0x0000000005666000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/4412-282-0x0000000007580000-0x0000000007581000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4432-265-0x00000000031C0000-0x00000000031FC000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/4432-269-0x0000000000700000-0x0000000000701000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4432-277-0x0000000005A50000-0x0000000005A51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4528-146-0x0000000004480000-0x00000000045BF000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/4896-205-0x0000000001FC0000-0x0000000001FEF000-memory.dmp

                            Filesize

                            188KB

                            Download