raccoon | db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
14-11-2021 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
Size

219KB
MD5

d5f3dad06e57f974c5073a4fbf142eda
SHA1

856a8ab094febdf25336be12bad875399ccb600f
SHA256

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6
SHA512

03a3329bb0274ad33ec3d4a245b7e2cb9d92455618c4ec0e3966c2413feed6abef149f484ee10ad8a23e84f29a1dd79b88a17357f79a77c9a7c2d140682dcb9d

Score

10^/10

raccoon redline smokeloader vkeylogger ddf183af4241e3172885cf1b2c4c1fb4ee03d05a superstar backdoor discovery evasion infostealer keylogger persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1268-152-0x0000000002130000-0x000000000214C000-memory.dmp	family_redline
behavioral2/memory/1268-154-0x00000000024D0000-0x00000000024EB000-memory.dmp	family_redline
behavioral2/memory/1220-168-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1220-169-0x0000000000418EEA-mapping.dmp	family_redline
behavioral2/memory/1220-178-0x00000000054A0000-0x0000000005AA6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 736 created 432 736 WerFault.exe 4B6E.exe
VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

description	pid	process	target process
PID 736 created 432	736	WerFault.exe	4B6E.exe

VKeylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2724-219-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/2724-225-0x0000000000403500-mapping.dmp	family_vkeylogger
behavioral2/memory/1816-227-0x00000000003B0000-0x00000000003BF000-memory.dmp	family_vkeylogger

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

4533.exe4533.exe49B8.exe4B6E.exe5051.exe540C.exe5051.exe49B8.exe6B4E.exe8109.exe87E0.exe

pid process

728 4533.exe
1476 4533.exe
3556 49B8.exe
432 4B6E.exe
676 5051.exe
64 540C.exe
1268 5051.exe
1220 49B8.exe
3184 6B4E.exe
1092 8109.exe
3180 87E0.exe

pid	process
728	4533.exe
1476	4533.exe
3556	49B8.exe
432	4B6E.exe
676	5051.exe
64	540C.exe
1268	5051.exe
1220	49B8.exe
3184	6B4E.exe
1092	8109.exe
3180	87E0.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6B4E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6B4E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6B4E.exe

Deletes itself 1 IoCs

Processes:

pid process

3008
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3008

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6B4E.exe	themida
behavioral2/memory/3184-187-0x0000000000230000-0x0000000000231000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gr5wd = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtrhy = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

6B4E.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6B4E.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6B4E.exe

pid process

3184 6B4E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6B4E.exe

pid	process
3184	6B4E.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe4533.exe5051.exe49B8.exe87E0.exeRegSvcs.exe

description	pid	process	target process
PID 2700 set thread context of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 728 set thread context of 1476	728	4533.exe	4533.exe
PID 676 set thread context of 1268	676	5051.exe	5051.exe
PID 3556 set thread context of 1220	3556	49B8.exe	49B8.exe
PID 3180 set thread context of 2724	3180	87E0.exe	RegSvcs.exe
PID 2724 set thread context of 1816	2724	RegSvcs.exe	explorer.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

736 432 WerFault.exe 4B6E.exe
1500 1092 WerFault.exe 8109.exe

pid	pid_target	process	target process
736	432	WerFault.exe	4B6E.exe
1500	1092	WerFault.exe	8109.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4533.exedb1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4533.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4533.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4533.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe

pid	process
3108	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
3108	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe4533.exeRegSvcs.exeexplorer.exe

pid process

3108 db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
1476 4533.exe
2724 RegSvcs.exe
1816 explorer.exe

pid	process
3008

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

WerFault.exeWerFault.exe49B8.exe6B4E.exe

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeRestorePrivilege	736	WerFault.exe
Token: SeBackupPrivilege	736	WerFault.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	736	WerFault.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	1500	WerFault.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	1220	49B8.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeDebugPrivilege	3184	6B4E.exe
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

1816 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1816 explorer.exe

pid	process
1816	explorer.exe

pid	process
1816	explorer.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe4533.exe5051.exe49B8.exe87E0.exeRegSvcs.exe

description	pid	process	target process
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 2700 wrote to memory of 3108	2700	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe	db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
PID 3008 wrote to memory of 728	3008		4533.exe
PID 3008 wrote to memory of 728	3008		4533.exe
PID 3008 wrote to memory of 728	3008		4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 728 wrote to memory of 1476	728	4533.exe	4533.exe
PID 3008 wrote to memory of 3556	3008		49B8.exe
PID 3008 wrote to memory of 3556	3008		49B8.exe
PID 3008 wrote to memory of 3556	3008		49B8.exe
PID 3008 wrote to memory of 432	3008		4B6E.exe
PID 3008 wrote to memory of 432	3008		4B6E.exe
PID 3008 wrote to memory of 432	3008		4B6E.exe
PID 3008 wrote to memory of 676	3008		5051.exe
PID 3008 wrote to memory of 676	3008		5051.exe
PID 3008 wrote to memory of 676	3008		5051.exe
PID 3008 wrote to memory of 64	3008		540C.exe
PID 3008 wrote to memory of 64	3008		540C.exe
PID 3008 wrote to memory of 64	3008		540C.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 676 wrote to memory of 1268	676	5051.exe	5051.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3556 wrote to memory of 1220	3556	49B8.exe	49B8.exe
PID 3008 wrote to memory of 3184	3008		6B4E.exe
PID 3008 wrote to memory of 3184	3008		6B4E.exe
PID 3008 wrote to memory of 3184	3008		6B4E.exe
PID 3008 wrote to memory of 1092	3008		8109.exe
PID 3008 wrote to memory of 1092	3008		8109.exe
PID 3008 wrote to memory of 1092	3008		8109.exe
PID 3008 wrote to memory of 3180	3008		87E0.exe
PID 3008 wrote to memory of 3180	3008		87E0.exe
PID 3008 wrote to memory of 3180	3008		87E0.exe
PID 3180 wrote to memory of 2724	3180	87E0.exe	RegSvcs.exe
PID 3180 wrote to memory of 2724	3180	87E0.exe	RegSvcs.exe
PID 3180 wrote to memory of 2724	3180	87E0.exe	RegSvcs.exe
PID 3180 wrote to memory of 2724	3180	87E0.exe	RegSvcs.exe
PID 3180 wrote to memory of 2724	3180	87E0.exe	RegSvcs.exe
PID 2724 wrote to memory of 1816	2724	RegSvcs.exe	explorer.exe
PID 2724 wrote to memory of 1816	2724	RegSvcs.exe	explorer.exe
PID 2724 wrote to memory of 1816	2724	RegSvcs.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
"C:\Users\Admin\AppData\Local\Temp\db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe
"C:\Users\Admin\AppData\Local\Temp\db1473e749077ed815a6dd154d1d595fb4ddee5429e3a38192f5c90d6d71e2d6.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3108

C:\Users\Admin\AppData\Local\Temp\4533.exe
C:\Users\Admin\AppData\Local\Temp\4533.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\4533.exe
C:\Users\Admin\AppData\Local\Temp\4533.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1476

C:\Users\Admin\AppData\Local\Temp\49B8.exe
C:\Users\Admin\AppData\Local\Temp\49B8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\49B8.exe
C:\Users\Admin\AppData\Local\Temp\49B8.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\4B6E.exe
C:\Users\Admin\AppData\Local\Temp\4B6E.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 480
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Users\Admin\AppData\Local\Temp\5051.exe
C:\Users\Admin\AppData\Local\Temp\5051.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\5051.exe
C:\Users\Admin\AppData\Local\Temp\5051.exe
2⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\AppData\Local\Temp\540C.exe
C:\Users\Admin\AppData\Local\Temp\540C.exe
1⤵
- Executes dropped EXE
PID:64

C:\Users\Admin\AppData\Local\Temp\6B4E.exe
C:\Users\Admin\AppData\Local\Temp\6B4E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Users\Admin\AppData\Local\Temp\8109.exe
C:\Users\Admin\AppData\Local\Temp\8109.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 400
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\AppData\Local\Temp\87E0.exe
C:\Users\Admin\AppData\Local\Temp\87E0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\49B8.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\4533.exe
MD5
f6839a3fcf7ceceb2de4bc8660cb5217

SHA1
94aaa6afb1c45ca26dc8f62d41e9c03218f7ae40

SHA256
3d609b245011159c0eeced43065a077488fbdb4273db8e2a93daff79392dc68e

SHA512
6369d846155d83f3d8876c685b36904d7a10ce31cb9a5aa58c9a05583316110a827520cd75bbb7eb66e9a8f1f7be41c382803638f61c28b204208f9750c54fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4533.exe
MD5
f6839a3fcf7ceceb2de4bc8660cb5217

SHA1
94aaa6afb1c45ca26dc8f62d41e9c03218f7ae40

SHA256
3d609b245011159c0eeced43065a077488fbdb4273db8e2a93daff79392dc68e

SHA512
6369d846155d83f3d8876c685b36904d7a10ce31cb9a5aa58c9a05583316110a827520cd75bbb7eb66e9a8f1f7be41c382803638f61c28b204208f9750c54fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4533.exe
MD5
f6839a3fcf7ceceb2de4bc8660cb5217

SHA1
94aaa6afb1c45ca26dc8f62d41e9c03218f7ae40

SHA256
3d609b245011159c0eeced43065a077488fbdb4273db8e2a93daff79392dc68e

SHA512
6369d846155d83f3d8876c685b36904d7a10ce31cb9a5aa58c9a05583316110a827520cd75bbb7eb66e9a8f1f7be41c382803638f61c28b204208f9750c54fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\49B8.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\49B8.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\49B8.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6E.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B6E.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5051.exe
MD5
754b7dd3c4ca7a4e3d074cf24a934525

SHA1
8dc9a81213bad3423f7e5fb91c445e3263ffd9f8

SHA256
4c4a7d533c0e8ef4d071cd62cd87293d839920df94449638ecbe3e25ff0c2d03

SHA512
6a27497839c0cad835bbd049be80860bcd594d8d2aa30f5b9a42ee94fd84aa9c76f414514d486d0f8eae0559207f5ef2f860fed45a986820deae0e03787aa771

Download Submit
C:\Users\Admin\AppData\Local\Temp\5051.exe
MD5
754b7dd3c4ca7a4e3d074cf24a934525

SHA1
8dc9a81213bad3423f7e5fb91c445e3263ffd9f8

SHA256
4c4a7d533c0e8ef4d071cd62cd87293d839920df94449638ecbe3e25ff0c2d03

SHA512
6a27497839c0cad835bbd049be80860bcd594d8d2aa30f5b9a42ee94fd84aa9c76f414514d486d0f8eae0559207f5ef2f860fed45a986820deae0e03787aa771

Download Submit
C:\Users\Admin\AppData\Local\Temp\5051.exe
MD5
754b7dd3c4ca7a4e3d074cf24a934525

SHA1
8dc9a81213bad3423f7e5fb91c445e3263ffd9f8

SHA256
4c4a7d533c0e8ef4d071cd62cd87293d839920df94449638ecbe3e25ff0c2d03

SHA512
6a27497839c0cad835bbd049be80860bcd594d8d2aa30f5b9a42ee94fd84aa9c76f414514d486d0f8eae0559207f5ef2f860fed45a986820deae0e03787aa771

Download Submit
C:\Users\Admin\AppData\Local\Temp\540C.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\540C.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B4E.exe
MD5
2b981c5d303d855ff0b7784ea7082860

SHA1
72638cba4542e5f56f701d9579ba857d1675ee98

SHA256
1a320f02f4bb5f3c0464dbf9d3f66939ce25f3683e262dc9326056ab329819cc

SHA512
28043fd7c35b0f4f75a36e10da6e5fa868939faf3e223905f15b66fdfdfdf0751c6693ab22cb19917d88ec1f7a4cc33e10401c54554b0434e9a7cae90b8aa9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8109.exe
MD5
ea4e92c55ba38780f02876d7b23220db

SHA1
c2828d048a98ae4a0b10a0086569f7923ff880f3

SHA256
4970975b3596048497e4cd865a66e68b017afddc392ce8de6d1b071846908295

SHA512
72521d1f0d6444225405c077d2f28f1dc36847a244beb24bbb7f577e6846fad8ad25b54d104377432e6153a813bfeb1feb6910d447eebb412d49e6131c46c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\8109.exe
MD5
ea4e92c55ba38780f02876d7b23220db

SHA1
c2828d048a98ae4a0b10a0086569f7923ff880f3

SHA256
4970975b3596048497e4cd865a66e68b017afddc392ce8de6d1b071846908295

SHA512
72521d1f0d6444225405c077d2f28f1dc36847a244beb24bbb7f577e6846fad8ad25b54d104377432e6153a813bfeb1feb6910d447eebb412d49e6131c46c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\87E0.exe
MD5
0ed76cd7cb14cc30d04802a750bcad22

SHA1
ed719729d7025b6d16399c88a7334fdd58b0d603

SHA256
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

SHA512
89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\87E0.exe
MD5
0ed76cd7cb14cc30d04802a750bcad22

SHA1
ed719729d7025b6d16399c88a7334fdd58b0d603

SHA256
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

SHA512
89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6

Download Submit
memory/64-180-0x00000000047C0000-0x000000000484F000-memory.dmp

Filesize
572KB

Download
memory/64-183-0x0000000000400000-0x0000000002B85000-memory.dmp

Filesize
39.5MB

Download
memory/64-145-0x0000000000000000-mapping.dmp

Download
memory/432-138-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/432-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-137-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/432-131-0x0000000000000000-mapping.dmp

Download
memory/676-158-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/676-140-0x0000000000000000-mapping.dmp

Download
memory/676-159-0x0000000001F90000-0x0000000001FC0000-memory.dmp

Filesize
192KB

Download
memory/728-129-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/728-120-0x0000000000000000-mapping.dmp

Download
memory/728-130-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1092-202-0x0000000000000000-mapping.dmp

Download
memory/1092-206-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/1220-200-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/1220-203-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/1220-178-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/1220-197-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/1220-169-0x0000000000418EEA-mapping.dmp

Download
memory/1220-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1220-201-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/1268-156-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1268-152-0x0000000002130000-0x000000000214C000-memory.dmp

Filesize
112KB

Download
memory/1268-161-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1268-162-0x0000000002004000-0x0000000002006000-memory.dmp

Filesize
8KB

Download
memory/1268-163-0x0000000002002000-0x0000000002003000-memory.dmp

Filesize
4KB

Download
memory/1268-165-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1268-164-0x0000000002003000-0x0000000002004000-memory.dmp

Filesize
4KB

Download
memory/1268-166-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1268-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-157-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/1268-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-155-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1268-154-0x00000000024D0000-0x00000000024EB000-memory.dmp

Filesize
108KB

Download
memory/1268-149-0x000000000040CD2F-mapping.dmp

Download
memory/1476-124-0x0000000000402DD8-mapping.dmp

Download
memory/1816-227-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/1816-226-0x00000000003B2E90-mapping.dmp

Download
memory/2700-116-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/2700-115-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2724-225-0x0000000000403500-mapping.dmp

Download
memory/2724-219-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3008-167-0x0000000003210000-0x0000000003226000-memory.dmp

Filesize
88KB

Download
memory/3008-119-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/3108-118-0x0000000000402DD8-mapping.dmp

Download
memory/3108-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3180-207-0x0000000000000000-mapping.dmp

Download
memory/3184-195-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3184-218-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3184-194-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3184-187-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3184-181-0x0000000000000000-mapping.dmp

Download
memory/3556-126-0x0000000000000000-mapping.dmp

Download
memory/3556-134-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3556-136-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3556-143-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3556-144-0x0000000002760000-0x00000000027D6000-memory.dmp

Filesize
472KB

Download
memory/3556-150-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download