Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 13:00
Static task
static1
General
-
Target
b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe
-
Size
430KB
-
MD5
8066b98ce627fb951b1de8d04ad5d11a
-
SHA1
33bec6772d4b829a2f2161f291012c55c2971c51
-
SHA256
b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c
-
SHA512
8af0281ac338c80607a21ffcb689f88fdb573711cde767f919b382c35b5ee215a8c6ddd03a3725fa05f0311755c438c3732ef8e2e6eb650c9a88d46077bb5769
Malware Config
Extracted
raccoon
f6d7183c9e82d2a9b81e6c0608450aa66cefb51f
-
url4cnc
https://t.me/justoprostohello
Signatures
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
LgDSt2rr2q.exesihost.exepid process 3140 LgDSt2rr2q.exe 2196 sihost.exe -
Loads dropped DLL 6 IoCs
Processes:
b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exepid process 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1500 schtasks.exe 2432 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 532 timeout.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.execmd.exeLgDSt2rr2q.exesihost.exedescription pid process target process PID 1784 wrote to memory of 3140 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe LgDSt2rr2q.exe PID 1784 wrote to memory of 3140 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe LgDSt2rr2q.exe PID 1784 wrote to memory of 3140 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe LgDSt2rr2q.exe PID 1784 wrote to memory of 3684 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe cmd.exe PID 1784 wrote to memory of 3684 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe cmd.exe PID 1784 wrote to memory of 3684 1784 b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe cmd.exe PID 3684 wrote to memory of 532 3684 cmd.exe timeout.exe PID 3684 wrote to memory of 532 3684 cmd.exe timeout.exe PID 3684 wrote to memory of 532 3684 cmd.exe timeout.exe PID 3140 wrote to memory of 1500 3140 LgDSt2rr2q.exe schtasks.exe PID 3140 wrote to memory of 1500 3140 LgDSt2rr2q.exe schtasks.exe PID 3140 wrote to memory of 1500 3140 LgDSt2rr2q.exe schtasks.exe PID 2196 wrote to memory of 2432 2196 sihost.exe schtasks.exe PID 2196 wrote to memory of 2432 2196 sihost.exe schtasks.exe PID 2196 wrote to memory of 2432 2196 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe"C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe"C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b81479ca11f8a968cbf9b0504d850e1d9720d658a31b22f063c4c4ca12dd4e7c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
C:\Users\Admin\AppData\Local\Temp\LgDSt2rr2q.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
memory/532-127-0x0000000000000000-mapping.dmp
-
memory/1500-128-0x0000000000000000-mapping.dmp
-
memory/1784-115-0x0000000000770000-0x0000000000800000-memory.dmpFilesize
576KB
-
memory/1784-116-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/2196-135-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2196-134-0x00000000004B0000-0x000000000055E000-memory.dmpFilesize
696KB
-
memory/2432-133-0x0000000000000000-mapping.dmp
-
memory/3140-123-0x0000000000000000-mapping.dmp
-
memory/3140-130-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3140-129-0x00000000001D0000-0x00000000001D4000-memory.dmpFilesize
16KB
-
memory/3684-125-0x0000000000000000-mapping.dmp