Overview

overview

10

Static

static

7

Software u...ox.exe

windows7_x64

10

Software u...ox.exe

windows10_x64

10

Software-u...90.exe

windows7_x64

8

Software-u...90.exe

windows10_x64

10

open this ...rk.exe

windows7_x64

10

open this ...rk.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-10-2021 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    open this if the doesn't work.exe

  • Size

    225KB

  • MD5

    75dc0b7ee8ecf84a04ae6dd0ace2f54d

  • SHA1

    4185141db5402579321714059282892a932661cf

  • SHA256

    06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298

  • SHA512

    57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05

Score
10/10
raccoon580b491e2149e767dbb79725a6a0395d016c0b15evasionstealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

580b491e2149e767dbb79725a6a0395d016c0b15

Attributes
  • url4cnc

    http://telegin.top/jabbahatt121

    http://ttmirror.top/jabbahatt121

    http://teletele.top/jabbahatt121

    http://telegalive.top/jabbahatt121

    http://toptelete.top/jabbahatt121

    http://telegraf.top/jabbahatt121

    https://t.me/jabbahatt121

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe
    "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"
    1⤵
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe" /SpecialRun 4101d8 316
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe
      "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"
      2⤵
        PID:3192
      • C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe
        "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"
        2⤵
          PID:2832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 964
            3⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Drops file in Windows directory
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Disabling Security Tools

      3
      T1089

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • memory/316-127-0x0000000000000000-mapping.dmp
        Download
      • memory/2108-117-0x0000000004E10000-0x0000000004E11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2108-115-0x0000000000540000-0x0000000000541000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2108-125-0x0000000007B60000-0x0000000007C46000-memory.dmp
        Filesize

        920KB

        Download
      • memory/2108-121-0x0000000004D40000-0x0000000004D43000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2108-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2108-126-0x000000000D960000-0x000000000D961000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2552-130-0x0000000000000000-mapping.dmp
        Download
      • memory/2628-161-0x0000000006AD4000-0x0000000006AD6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2628-141-0x0000000006DF0000-0x0000000006DF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-149-0x0000000000B00000-0x0000000000B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-159-0x0000000000B00000-0x0000000000B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-136-0x0000000007110000-0x0000000007111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2628-135-0x0000000001010000-0x0000000001011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-139-0x0000000006AD0000-0x0000000006AD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-140-0x0000000006AD2000-0x0000000006AD3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-134-0x0000000000B00000-0x0000000000B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-142-0x0000000006E90000-0x0000000006E91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-143-0x0000000007030000-0x0000000007031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-144-0x0000000007920000-0x0000000007921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-160-0x0000000006AD3000-0x0000000006AD4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-146-0x0000000007740000-0x0000000007741000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-147-0x00000000082A0000-0x00000000082A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-148-0x0000000007F80000-0x0000000007F81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-133-0x0000000000B00000-0x0000000000B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2832-137-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2832-145-0x0000000000400000-0x0000000000492000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2832-138-0x000000000043E9BE-mapping.dmp
        Download