Malware Analysis Report

2024-07-11 07:12

Sample ID 211113-xgb4sacchq
Target 84dd06d1e6237944e337d213947e1949
SHA256 72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30
Tags
raccoon 8dec62c1db2959619dca43e02fa46ad7bd606400 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

Threat Level: Known bad

The file 84dd06d1e6237944e337d213947e1949 was found to be: Known bad.

Malicious Activity Summary

raccoon 8dec62c1db2959619dca43e02fa46ad7bd606400 stealer

Suspicious use of NtCreateProcessExOtherParentProcess

Raccoon

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-13 18:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-13 18:49

Reported

2021-11-13 18:51

Platform

win7-en-20211104

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

Signatures

Raccoon

stealer raccoon

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1612 set thread context of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1612 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 ttmirror.top udp
US 8.8.8.8:53 teletele.top udp
US 8.8.8.8:53 telegalive.top udp
US 8.8.8.8:53 toptelete.top udp

Files

memory/1612-55-0x0000000002D1B000-0x0000000002D92000-memory.dmp

memory/1612-56-0x0000000000220000-0x00000000002A3000-memory.dmp

memory/1612-57-0x0000000000400000-0x0000000002BB3000-memory.dmp

memory/460-58-0x0000000000400000-0x0000000000491000-memory.dmp

memory/460-59-0x0000000000402998-mapping.dmp

memory/1612-60-0x0000000000370000-0x00000000003D3000-memory.dmp

memory/1612-61-0x0000000002BC0000-0x0000000002C30000-memory.dmp

memory/460-62-0x0000000000400000-0x0000000000491000-memory.dmp

memory/460-63-0x0000000000400000-0x0000000000491000-memory.dmp

memory/460-64-0x0000000075491000-0x0000000075493000-memory.dmp

memory/460-66-0x0000000000310000-0x000000000039E000-memory.dmp

memory/460-65-0x00000000002C0000-0x000000000030E000-memory.dmp

memory/460-67-0x0000000000400000-0x0000000000491000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-13 18:49

Reported

2021-11-13 18:51

Platform

win10-en-20211014

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

Signatures

Raccoon

stealer raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 2396 created 4088 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1008 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
PID 1008 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe

"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1224

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 telegin.top udp
US 8.8.8.8:53 ttmirror.top udp
US 8.8.8.8:53 ttmirror.top udp
US 8.8.8.8:53 sv.symcb.com udp
US 93.184.220.29:80 sv.symcb.com tcp
US 8.8.8.8:53 ttmirror.top udp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 teletele.top udp
US 8.8.8.8:53 teletele.top udp
US 8.8.8.8:53 teletele.top udp
US 8.8.8.8:53 telegalive.top udp
US 8.8.8.8:53 telegalive.top udp
US 8.8.8.8:53 telegalive.top udp
US 8.8.8.8:53 toptelete.top udp
US 8.8.8.8:53 toptelete.top udp
US 8.8.8.8:53 toptelete.top udp
US 8.8.8.8:53 telegraf.top udp
US 8.8.8.8:53 telegraf.top udp
US 8.8.8.8:53 telegraf.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
MD 185.163.47.175:80 185.163.47.175 tcp

Files

memory/1008-116-0x0000000004970000-0x00000000049F3000-memory.dmp

memory/1008-117-0x0000000000400000-0x0000000002BB3000-memory.dmp

memory/4088-118-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4088-119-0x0000000000402998-mapping.dmp

memory/1008-120-0x0000000004A00000-0x0000000004A63000-memory.dmp

memory/1008-121-0x0000000004A70000-0x0000000004AE0000-memory.dmp

memory/4088-122-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4088-123-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4088-125-0x0000000000730000-0x00000000007BE000-memory.dmp

memory/4088-124-0x00000000004A0000-0x000000000054E000-memory.dmp

memory/4088-126-0x0000000000400000-0x0000000000491000-memory.dmp