raccoon | 2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7

Analysis

max time kernel
151s
max time network
159s
platform
windows10_x64
resource
win10-en-20210920
submitted
15-10-2021 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
Size

292KB
MD5

9e3857dd1ef0cdc5cba74f191207843b
SHA1

086ec47957a78807cc4f33a624eee35af6e27f7a
SHA256

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7
SHA512

2818ef1ed1a28566cb890c8ccd58b99c9ee0f0f23f6fcda73fd4680541ac5b6620aa90df5eae9b7bd42cf2e693269e92143a32b67945c997e1831ddc7e8e2bdc

Score

10^/10

raccoon redline smokeloader 01971c26c29bbf6e54f3c895cd6c6ab13f72303f 3dde9cf1ea25ec8623cf240fe8d23e8d3fe465f0 7ebf9b416b72a203df65383eec899dc689d2c3d7 fbe5e97e7d069407605ee9138022aa82166657e6 megaproliv2 office365log and wallet backdoor collection discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey7.top/

http://wijibui0.top/

http://hefahei6.top/

http://pipevai4.top/

http://nalirou7.top/

http://gfdjgdfjgdhfbg.space/

http://gfhjdsghdfjg23.space/

http://gdfjgdfh4543nf.space/

http://fgdjgsdfghj4fds.space/

http://fgdgdjfgfdgdf.space/

http://fsdhjfsdhfsd.space/

http://fgdsjghdfghjdfhgd.space/

http://ryuesrseyth3.space/

http://fdsjkuhreyu4.space/

http://fdgjdfgehr4.space/

http://fgdgjhdfgdfjgd.space/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes

url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen

rc4.plain

Extracted

Family

redline

Botnet

MegaProliv2

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

01971c26c29bbf6e54f3c895cd6c6ab13f72303f

Attributes

url4cnc
http://telegatt.top/vvhotsummer
http://telegka.top/vvhotsummer
http://telegin.top/vvhotsummer
https://t.me/vvhotsummer

rc4.plain

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

3dde9cf1ea25ec8623cf240fe8d23e8d3fe465f0

Attributes

url4cnc
http://telegatt.top/d1rolsavage
http://telegka.top/d1rolsavage
http://telegin.top/d1rolsavage
https://t.me/d1rolsavage

rc4.plain

Extracted

Family

redline

Botnet

office365log and wallet

185.215.113.102:10007

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/612-135-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/612-136-0x000000000041B252-mapping.dmp	family_redline
behavioral1/memory/612-144-0x0000000004F20000-0x0000000005526000-memory.dmp	family_redline
behavioral1/memory/1816-194-0x0000000000600000-0x0000000000622000-memory.dmp	family_redline
behavioral1/memory/1816-199-0x000000000061B282-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 2668 created 2340 2668 WerFault.exe 659E.exe
PID 868 created 1992 868 WerFault.exe D4E6.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

488E.exe4B3F.exe4B3F.exe659E.exe6DEC.exe7705.exeD090.exeD4E6.exe

pid process

384 488E.exe
3984 4B3F.exe
612 4B3F.exe
2340 659E.exe
400 6DEC.exe
2172 7705.exe
2224 D090.exe
1992 D4E6.exe

description	pid	process	target process
PID 2668 created 2340	2668	WerFault.exe	659E.exe
PID 868 created 1992	868	WerFault.exe	D4E6.exe

pid	process
384	488E.exe
3984	4B3F.exe
612	4B3F.exe
2340	659E.exe
400	6DEC.exe
2172	7705.exe
2224	D090.exe
1992	D4E6.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7705.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7705.exe

Deletes itself 1 IoCs

Processes:

pid process

3036
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3036

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7705.exe	themida
C:\Users\Admin\AppData\Local\Temp\7705.exe	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7705.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7705.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7705.exe

pid process

2172 7705.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7705.exe

pid	process
2172	7705.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe4B3F.exeD4E6.exeD090.exe

description	pid	process	target process
PID 2112 set thread context of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 3984 set thread context of 612	3984	4B3F.exe	4B3F.exe
PID 1992 set thread context of 2620	1992	D4E6.exe	AppLaunch.exe
PID 2224 set thread context of 1816	2224	D090.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2668 2340 WerFault.exe 659E.exe
868 1992 WerFault.exe D4E6.exe

pid	pid_target	process	target process
2668	2340	WerFault.exe	659E.exe
868	1992	WerFault.exe	D4E6.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe7705.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7705.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7705.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7705.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe

pid	process
984	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
984	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe7705.exe

pid process

984 2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
2172 7705.exe
3036
3036
3036
3036
3036
3036

pid	process
3036

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

WerFault.exe4B3F.exeWerFault.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeRestorePrivilege	2668	WerFault.exe
Token: SeBackupPrivilege	2668	WerFault.exe
Token: SeDebugPrivilege	2668	WerFault.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	612	4B3F.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	868	WerFault.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeDebugPrivilege	1816	AppLaunch.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe4B3F.exeD4E6.exeD090.exe

description	pid	process	target process
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 2112 wrote to memory of 984	2112	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe	2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
PID 3036 wrote to memory of 384	3036		488E.exe
PID 3036 wrote to memory of 384	3036		488E.exe
PID 3036 wrote to memory of 384	3036		488E.exe
PID 3036 wrote to memory of 3984	3036		4B3F.exe
PID 3036 wrote to memory of 3984	3036		4B3F.exe
PID 3036 wrote to memory of 3984	3036		4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3984 wrote to memory of 612	3984	4B3F.exe	4B3F.exe
PID 3036 wrote to memory of 2340	3036		659E.exe
PID 3036 wrote to memory of 2340	3036		659E.exe
PID 3036 wrote to memory of 2340	3036		659E.exe
PID 3036 wrote to memory of 400	3036		6DEC.exe
PID 3036 wrote to memory of 400	3036		6DEC.exe
PID 3036 wrote to memory of 400	3036		6DEC.exe
PID 3036 wrote to memory of 2172	3036		7705.exe
PID 3036 wrote to memory of 2172	3036		7705.exe
PID 3036 wrote to memory of 2172	3036		7705.exe
PID 3036 wrote to memory of 2224	3036		D090.exe
PID 3036 wrote to memory of 2224	3036		D090.exe
PID 3036 wrote to memory of 2224	3036		D090.exe
PID 3036 wrote to memory of 1992	3036		D4E6.exe
PID 3036 wrote to memory of 1992	3036		D4E6.exe
PID 3036 wrote to memory of 1992	3036		D4E6.exe
PID 3036 wrote to memory of 3380	3036		explorer.exe
PID 3036 wrote to memory of 3380	3036		explorer.exe
PID 3036 wrote to memory of 3380	3036		explorer.exe
PID 3036 wrote to memory of 3380	3036		explorer.exe
PID 3036 wrote to memory of 1640	3036		explorer.exe
PID 3036 wrote to memory of 1640	3036		explorer.exe
PID 3036 wrote to memory of 1640	3036		explorer.exe
PID 3036 wrote to memory of 3872	3036		explorer.exe
PID 3036 wrote to memory of 3872	3036		explorer.exe
PID 3036 wrote to memory of 3872	3036		explorer.exe
PID 3036 wrote to memory of 3872	3036		explorer.exe
PID 1992 wrote to memory of 2620	1992	D4E6.exe	AppLaunch.exe
PID 1992 wrote to memory of 2620	1992	D4E6.exe	AppLaunch.exe
PID 1992 wrote to memory of 2620	1992	D4E6.exe	AppLaunch.exe
PID 1992 wrote to memory of 2620	1992	D4E6.exe	AppLaunch.exe
PID 1992 wrote to memory of 2620	1992	D4E6.exe	AppLaunch.exe
PID 2224 wrote to memory of 1816	2224	D090.exe	AppLaunch.exe
PID 2224 wrote to memory of 1816	2224	D090.exe	AppLaunch.exe
PID 2224 wrote to memory of 1816	2224	D090.exe	AppLaunch.exe
PID 2224 wrote to memory of 1816	2224	D090.exe	AppLaunch.exe
PID 2224 wrote to memory of 1816	2224	D090.exe	AppLaunch.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
"C:\Users\Admin\AppData\Local\Temp\2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe
"C:\Users\Admin\AppData\Local\Temp\2deaa4b2208821ac9749d2e15e465560670ebfa3578294222b5c09ad140a4db7.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:984

C:\Users\Admin\AppData\Local\Temp\488E.exe
C:\Users\Admin\AppData\Local\Temp\488E.exe
1⤵
- Executes dropped EXE
PID:384

C:\Users\Admin\AppData\Local\Temp\4B3F.exe
C:\Users\Admin\AppData\Local\Temp\4B3F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\4B3F.exe
C:\Users\Admin\AppData\Local\Temp\4B3F.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Users\Admin\AppData\Local\Temp\659E.exe
C:\Users\Admin\AppData\Local\Temp\659E.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 816
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Users\Admin\AppData\Local\Temp\6DEC.exe
C:\Users\Admin\AppData\Local\Temp\6DEC.exe
1⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\7705.exe
C:\Users\Admin\AppData\Local\Temp\7705.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2172

C:\Users\Admin\AppData\Local\Temp\D090.exe
C:\Users\Admin\AppData\Local\Temp\D090.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\D4E6.exe
C:\Users\Admin\AppData\Local\Temp\D4E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 244
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4B3F.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\488E.exe
MD5
b580d9723dadf243bb7a12f9da4bf0f8

SHA1
0ede899718106b4dab1570eabec79802d31ac593

SHA256
dc727099d3858b71798e4bc041531575d66e846e6fec21b8812185e34bb18b4e

SHA512
0278150e532b0c8d6b65fd48398027ff633f4b1e1bd7d28823c7f24ff05655f5ec86183cb37faf5d20497ba18615fc14a651696eb5ed26c05487440a75febd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\488E.exe
MD5
b580d9723dadf243bb7a12f9da4bf0f8

SHA1
0ede899718106b4dab1570eabec79802d31ac593

SHA256
dc727099d3858b71798e4bc041531575d66e846e6fec21b8812185e34bb18b4e

SHA512
0278150e532b0c8d6b65fd48398027ff633f4b1e1bd7d28823c7f24ff05655f5ec86183cb37faf5d20497ba18615fc14a651696eb5ed26c05487440a75febd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B3F.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B3F.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B3F.exe
MD5
6f1a319fb002c4b62511ce54eeb9d017

SHA1
2a1d57f27737725e6a004735d787d2297b594b76

SHA256
bafd80aced58bd4a594122d242fda0705c0ef8b3f01ab26c5d1c40c995c36956

SHA512
ac02d51a6f374f87c34fa8dfed714018de8a72b97900a6c7f05c6e73fb7bc509f0931f9f3bd76edfc80c3840bfbc2e1237ad0375788b2e55f1ded62514f3b645

Download Submit
C:\Users\Admin\AppData\Local\Temp\659E.exe
MD5
8fbb3cf89668f6abe21991a4007096b4

SHA1
15c84e26b3ca571236961068fe051b96247499d2

SHA256
d4a83fcae0bcdcf43c4016e6891ced32829f012d34274f4a1fa616d6b52dc2af

SHA512
de53f5d210bc6f3ed259b49646743ab8407ad88c979e753dbec72e47fd4246ce7fd8d1ae49439e75d0f98a8438cd325a2bb2d10c080d16862a379d4dee97d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\659E.exe
MD5
8fbb3cf89668f6abe21991a4007096b4

SHA1
15c84e26b3ca571236961068fe051b96247499d2

SHA256
d4a83fcae0bcdcf43c4016e6891ced32829f012d34274f4a1fa616d6b52dc2af

SHA512
de53f5d210bc6f3ed259b49646743ab8407ad88c979e753dbec72e47fd4246ce7fd8d1ae49439e75d0f98a8438cd325a2bb2d10c080d16862a379d4dee97d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DEC.exe
MD5
467a07c47e3cdfb7852814ea1bd1b1cf

SHA1
19b722f3b4e0b3a6ba268fad9ee823a4a492e744

SHA256
e9f2be4b4fe45257045612a799c438d713421d2d4b99a3c175b6f8a44fc69984

SHA512
21a05c0ebd07577480d614fc2eea6b939edd800a2e781f047091f8fca052dac3e4c33682c0fb80a526063994db863f195cb3228f7268f5a8544dd50e521988aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DEC.exe
MD5
467a07c47e3cdfb7852814ea1bd1b1cf

SHA1
19b722f3b4e0b3a6ba268fad9ee823a4a492e744

SHA256
e9f2be4b4fe45257045612a799c438d713421d2d4b99a3c175b6f8a44fc69984

SHA512
21a05c0ebd07577480d614fc2eea6b939edd800a2e781f047091f8fca052dac3e4c33682c0fb80a526063994db863f195cb3228f7268f5a8544dd50e521988aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7705.exe
MD5
42c7464e0b74f85c180739554277cf10

SHA1
54758bb3955b8b8a7479a8e1e1ec1811961a4061

SHA256
9af00974a746987fb1f6f4b4718cb7bcc5ddff7977fb1de40b95cb331d90d5d7

SHA512
a6ee1cca33899dddcaf63a615b2a35960120b5d6c8e2d7b8793958a435d4b94cd53d18e276ec4ff26c3ee33177fa9552a55115f2a46e8ea6090b6b988fa58041

Download Submit
C:\Users\Admin\AppData\Local\Temp\7705.exe
MD5
42c7464e0b74f85c180739554277cf10

SHA1
54758bb3955b8b8a7479a8e1e1ec1811961a4061

SHA256
9af00974a746987fb1f6f4b4718cb7bcc5ddff7977fb1de40b95cb331d90d5d7

SHA512
a6ee1cca33899dddcaf63a615b2a35960120b5d6c8e2d7b8793958a435d4b94cd53d18e276ec4ff26c3ee33177fa9552a55115f2a46e8ea6090b6b988fa58041

Download Submit
C:\Users\Admin\AppData\Local\Temp\D090.exe
MD5
cbb743554f7e939e28492cb0b292c348

SHA1
789526e544dd10c9f2af5b0c06527c509305a014

SHA256
8f7507a21d111bc53b7fb852fd1a0b2b007eef20db3b73d58ace4fcef5cc1175

SHA512
c78f8099950bcf55c2eb25d57822d0ab978c2968332f851afd2f2f09dbf0a53e0c624a792389d4503215a0726d303b00075e591193534955d421664900d24e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\D090.exe
MD5
cbb743554f7e939e28492cb0b292c348

SHA1
789526e544dd10c9f2af5b0c06527c509305a014

SHA256
8f7507a21d111bc53b7fb852fd1a0b2b007eef20db3b73d58ace4fcef5cc1175

SHA512
c78f8099950bcf55c2eb25d57822d0ab978c2968332f851afd2f2f09dbf0a53e0c624a792389d4503215a0726d303b00075e591193534955d421664900d24e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4E6.exe
MD5
1ee4dbdd3590335ffaa92c131911705d

SHA1
093c3979d72cabd3409424c07fb0ed8e4e32f5ce

SHA256
cef68aa75710c3a28b46d5fceb8ff05718bf7f994cbc49cf5ab16c06e69a54bf

SHA512
f263f35a7c02ac2997c2d611038328031aed1bea24c15f0f9a91859d6359de715817f770f6d5da4a619b097f2256a5c8259d95c33bb3daed0459f94356b4b4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4E6.exe
MD5
1ee4dbdd3590335ffaa92c131911705d

SHA1
093c3979d72cabd3409424c07fb0ed8e4e32f5ce

SHA256
cef68aa75710c3a28b46d5fceb8ff05718bf7f994cbc49cf5ab16c06e69a54bf

SHA512
f263f35a7c02ac2997c2d611038328031aed1bea24c15f0f9a91859d6359de715817f770f6d5da4a619b097f2256a5c8259d95c33bb3daed0459f94356b4b4e1

Download Submit
memory/384-133-0x0000000002140000-0x00000000021CE000-memory.dmp

Filesize
568KB

Download
memory/384-134-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/384-120-0x0000000000000000-mapping.dmp

Download
memory/400-157-0x00000000019E9000-0x0000000001A38000-memory.dmp

Filesize
316KB

Download
memory/400-161-0x0000000001800000-0x000000000194A000-memory.dmp

Filesize
1.3MB

Download
memory/400-163-0x0000000000400000-0x00000000016FA000-memory.dmp

Filesize
19.0MB

Download
memory/400-154-0x0000000000000000-mapping.dmp

Download
memory/612-135-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/612-164-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/612-145-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/612-146-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/612-144-0x0000000004F20000-0x0000000005526000-memory.dmp

Filesize
6.0MB

Download
memory/612-143-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/612-142-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/612-170-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/612-167-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/612-141-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/612-136-0x000000000041B252-mapping.dmp

Download
memory/612-165-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/984-117-0x0000000000402E86-mapping.dmp

Download
memory/984-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-183-0x0000000001090000-0x000000000109C000-memory.dmp

Filesize
48KB

Download
memory/1640-182-0x00000000010A0000-0x00000000010A7000-memory.dmp

Filesize
28KB

Download
memory/1640-179-0x0000000000000000-mapping.dmp

Download
memory/1816-199-0x000000000061B282-mapping.dmp

Download
memory/1816-210-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1816-224-0x000000000AD10000-0x000000000AD11000-memory.dmp

Filesize
4KB

Download
memory/1816-209-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/1816-194-0x0000000000600000-0x0000000000622000-memory.dmp

Filesize
136KB

Download
memory/1816-200-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1816-201-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1816-214-0x00000000088C0000-0x0000000008EC6000-memory.dmp

Filesize
6.0MB

Download
memory/1816-202-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1816-203-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1992-175-0x0000000000000000-mapping.dmp

Download
memory/2112-118-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2172-162-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-158-0x0000000000000000-mapping.dmp

Download
memory/2224-172-0x0000000000000000-mapping.dmp

Download
memory/2340-147-0x0000000000000000-mapping.dmp

Download
memory/2340-150-0x0000000000830000-0x00000000008C1000-memory.dmp

Filesize
580KB

Download
memory/2340-151-0x0000000000831000-0x000000000089B000-memory.dmp

Filesize
424KB

Download
memory/2620-185-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2620-193-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2620-191-0x000000000043E9BE-mapping.dmp

Download
memory/3036-119-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/3036-171-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

Filesize
88KB

Download
memory/3380-181-0x0000000002F70000-0x0000000002FDB000-memory.dmp

Filesize
428KB

Download
memory/3380-180-0x0000000003200000-0x0000000003274000-memory.dmp

Filesize
464KB

Download
memory/3380-178-0x0000000000000000-mapping.dmp

Download
memory/3872-184-0x0000000000000000-mapping.dmp

Download
memory/3872-192-0x0000000003260000-0x0000000003287000-memory.dmp

Filesize
156KB

Download
memory/3872-190-0x0000000003290000-0x00000000032B2000-memory.dmp

Filesize
136KB

Download
memory/3984-124-0x0000000000000000-mapping.dmp

Download
memory/3984-127-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3984-129-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3984-130-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3984-131-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3984-132-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download