Overview

overview

10

Static

static

open this ...rk.exe

windows7_x64

10

open this ...rk.exe

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-10-2021 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    open this if the doesn't work.exe

  • Size

    225KB

  • MD5

    75dc0b7ee8ecf84a04ae6dd0ace2f54d

  • SHA1

    4185141db5402579321714059282892a932661cf

  • SHA256

    06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298

  • SHA512

    57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05

Score
10/10
raccoon580b491e2149e767dbb79725a6a0395d016c0b15evasionstealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

580b491e2149e767dbb79725a6a0395d016c0b15

Attributes
  • url4cnc

    http://telegin.top/jabbahatt121

    http://ttmirror.top/jabbahatt121

    http://teletele.top/jabbahatt121

    http://telegalive.top/jabbahatt121

    http://toptelete.top/jabbahatt121

    http://telegraf.top/jabbahatt121

    https://t.me/jabbahatt121

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe
    "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"
    1⤵
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe" /SpecialRun 4101d8 1444
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3492
    • C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe
      "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"
      2⤵
        PID:1028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1016
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Drops file in Windows directory
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2116

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    3
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe
      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe
      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe
      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit
    • memory/1028-137-0x0000000000400000-0x0000000000492000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1028-138-0x000000000043E9BE-mapping.dmp
      Download
    • memory/1028-141-0x0000000000400000-0x0000000000492000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1444-127-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-115-0x0000000000B70000-0x0000000000B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-120-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-121-0x00000000057A0000-0x00000000057A3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2184-117-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-125-0x0000000008190000-0x0000000008276000-memory.dmp
      Filesize

      920KB

      Download
    • memory/2184-126-0x000000000DFA0000-0x000000000DFA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3492-147-0x0000000008B70000-0x0000000008B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-136-0x0000000007AD0000-0x0000000007AD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-134-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-133-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-160-0x0000000007493000-0x0000000007494000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-135-0x0000000004E10000-0x0000000004E11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-140-0x0000000007492000-0x0000000007493000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-142-0x0000000007880000-0x0000000007881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-143-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-144-0x0000000007990000-0x0000000007991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-145-0x0000000008200000-0x0000000008201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-146-0x0000000007A90000-0x0000000007A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-139-0x0000000007490000-0x0000000007491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-148-0x0000000008930000-0x0000000008931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-149-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-159-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3492-161-0x0000000007494000-0x0000000007496000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4084-130-0x0000000000000000-mapping.dmp
      Download