raccoon | 5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-12-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
Size

249KB
MD5

980e7d040217093ce2eb9aed5ce790bf
SHA1

b045450271010c3ecf28ff580d692c2c4923eb53
SHA256

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603
SHA512

0e834210c22a3dccbfcdc760e0891ff3658f43f2a08cffc56ab3e31af6528503a13b48bca722a3062f7dd71506eb31386927a002ccfadeec875a7806ae5059c3

Score

10^/10

raccoon redline smokeloader 049dc5184bb65eb56e4e860bf61427e2a0fcba1e b620be4c85b4051a92040003edbc322be4eb082d backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

049dc5184bb65eb56e4e860bf61427e2a0fcba1e

Attributes

url4cnc
http://185.225.19.18/duglassa1
http://91.219.237.227/duglassa1
https://t.me/duglassa1

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-141-0x0000000000350000-0x00000000004C5000-memory.dmp	family_redline
behavioral1/memory/2296-158-0x0000000001120000-0x0000000001288000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 64 created 2544 64 WerFault.exe 5437.exe
Downloads MZ/PE file

description	pid	process	target process
PID 64 created 2544	64	WerFault.exe	5437.exe

Executes dropped EXE 13 IoCs

Processes:

46E8.exe46E8.exe5437.exeACC8.exeB555.exeBF58.exeACC8.exeCD92.exeE580.exeRitroverai.exe.comRitroverai.exe.comRitroverai.exe.comRitroverai.exe.com

pid	process
676	46E8.exe
2860	46E8.exe
2544	5437.exe
948	ACC8.exe
2420	B555.exe
2296	BF58.exe
1700	ACC8.exe
2264	CD92.exe
2984	E580.exe
3936	Ritroverai.exe.com
1040	Ritroverai.exe.com
980	Ritroverai.exe.com
1340	Ritroverai.exe.com

Deletes itself 1 IoCs

Processes:

pid process

2800
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2800

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E580.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	E580.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	E580.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BF58.exe

pid process

2296 BF58.exe

pid	process
2296	BF58.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe46E8.exeACC8.exe

description	pid	process	target process
PID 4056 set thread context of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 676 set thread context of 2860	676	46E8.exe	46E8.exe
PID 948 set thread context of 1700	948	ACC8.exe	ACC8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

64 2544 WerFault.exe 5437.exe

pid	pid_target	process	target process
64	2544	WerFault.exe	5437.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe46E8.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46E8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46E8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	46E8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2528 PING.EXE

pid	process
2528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe

pid	process
1404	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
1404	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2800
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe46E8.exe

pid process

1404 5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
2860 46E8.exe

pid	process
2800

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeBF58.exeB555.exe

description	pid	process
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeRestorePrivilege	64	WerFault.exe
Token: SeBackupPrivilege	64	WerFault.exe
Token: SeDebugPrivilege	64	WerFault.exe
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeDebugPrivilege	2296	BF58.exe
Token: SeDebugPrivilege	2420	B555.exe
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800
Token: SeCreatePagefilePrivilege	2800
Token: SeShutdownPrivilege	2800

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

Ritroverai.exe.comRitroverai.exe.comRitroverai.exe.com

pid	process
3936	Ritroverai.exe.com
2800
2800
3936	Ritroverai.exe.com
3936	Ritroverai.exe.com
3936	Ritroverai.exe.com
2800
2800
1040	Ritroverai.exe.com
2800
2800
1040	Ritroverai.exe.com
1040	Ritroverai.exe.com
2800
2800
980	Ritroverai.exe.com
2800
2800
980	Ritroverai.exe.com
980	Ritroverai.exe.com
980	Ritroverai.exe.com
2800
2800

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

Ritroverai.exe.comRitroverai.exe.comRitroverai.exe.com

pid	process
3936	Ritroverai.exe.com
3936	Ritroverai.exe.com
3936	Ritroverai.exe.com
3936	Ritroverai.exe.com
1040	Ritroverai.exe.com
1040	Ritroverai.exe.com
1040	Ritroverai.exe.com
980	Ritroverai.exe.com
980	Ritroverai.exe.com
980	Ritroverai.exe.com
980	Ritroverai.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe46E8.exeACC8.exeE580.execmd.execmd.exeRitroverai.exe.comRitroverai.exe.com

description	pid	process	target process
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 4056 wrote to memory of 1404	4056	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe	5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
PID 2800 wrote to memory of 676	2800		46E8.exe
PID 2800 wrote to memory of 676	2800		46E8.exe
PID 2800 wrote to memory of 676	2800		46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 676 wrote to memory of 2860	676	46E8.exe	46E8.exe
PID 2800 wrote to memory of 2544	2800		5437.exe
PID 2800 wrote to memory of 2544	2800		5437.exe
PID 2800 wrote to memory of 2544	2800		5437.exe
PID 2800 wrote to memory of 948	2800		ACC8.exe
PID 2800 wrote to memory of 948	2800		ACC8.exe
PID 2800 wrote to memory of 948	2800		ACC8.exe
PID 2800 wrote to memory of 2420	2800		B555.exe
PID 2800 wrote to memory of 2420	2800		B555.exe
PID 2800 wrote to memory of 2420	2800		B555.exe
PID 2800 wrote to memory of 2296	2800		BF58.exe
PID 2800 wrote to memory of 2296	2800		BF58.exe
PID 2800 wrote to memory of 2296	2800		BF58.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 948 wrote to memory of 1700	948	ACC8.exe	ACC8.exe
PID 2800 wrote to memory of 2264	2800		CD92.exe
PID 2800 wrote to memory of 2264	2800		CD92.exe
PID 2800 wrote to memory of 2264	2800		CD92.exe
PID 2800 wrote to memory of 2984	2800		E580.exe
PID 2800 wrote to memory of 2984	2800		E580.exe
PID 2800 wrote to memory of 2984	2800		E580.exe
PID 2984 wrote to memory of 2172	2984	E580.exe	expand.exe
PID 2984 wrote to memory of 2172	2984	E580.exe	expand.exe
PID 2984 wrote to memory of 2172	2984	E580.exe	expand.exe
PID 2984 wrote to memory of 1320	2984	E580.exe	cmd.exe
PID 2984 wrote to memory of 1320	2984	E580.exe	cmd.exe
PID 2984 wrote to memory of 1320	2984	E580.exe	cmd.exe
PID 1320 wrote to memory of 1624	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 1624	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 1624	1320	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1636	1624	cmd.exe	findstr.exe
PID 1624 wrote to memory of 1636	1624	cmd.exe	findstr.exe
PID 1624 wrote to memory of 1636	1624	cmd.exe	findstr.exe
PID 1624 wrote to memory of 3936	1624	cmd.exe	Ritroverai.exe.com
PID 1624 wrote to memory of 3936	1624	cmd.exe	Ritroverai.exe.com
PID 1624 wrote to memory of 3936	1624	cmd.exe	Ritroverai.exe.com
PID 1624 wrote to memory of 2528	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 2528	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 2528	1624	cmd.exe	PING.EXE
PID 3936 wrote to memory of 1040	3936	Ritroverai.exe.com	Ritroverai.exe.com
PID 3936 wrote to memory of 1040	3936	Ritroverai.exe.com	Ritroverai.exe.com
PID 3936 wrote to memory of 1040	3936	Ritroverai.exe.com	Ritroverai.exe.com
PID 1040 wrote to memory of 980	1040	Ritroverai.exe.com	Ritroverai.exe.com

C:\Users\Admin\AppData\Local\Temp\5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
"C:\Users\Admin\AppData\Local\Temp\5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe
"C:\Users\Admin\AppData\Local\Temp\5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1404

C:\Users\Admin\AppData\Local\Temp\46E8.exe
C:\Users\Admin\AppData\Local\Temp\46E8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\46E8.exe
C:\Users\Admin\AppData\Local\Temp\46E8.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2860

C:\Users\Admin\AppData\Local\Temp\5437.exe
C:\Users\Admin\AppData\Local\Temp\5437.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 268
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\ACC8.exe
C:\Users\Admin\AppData\Local\Temp\ACC8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\ACC8.exe
C:\Users\Admin\AppData\Local\Temp\ACC8.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\B555.exe
C:\Users\Admin\AppData\Local\Temp\B555.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\BF58.exe
C:\Users\Admin\AppData\Local\Temp\BF58.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\AppData\Local\Temp\CD92.exe
C:\Users\Admin\AppData\Local\Temp\CD92.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\E580.exe
C:\Users\Admin\AppData\Local\Temp\E580.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\expand.exe
expand
2⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Confronto.vsd
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDk$" Che.vsd
4⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
Ritroverai.exe.com B
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com B
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com B
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com B
7⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping JQKTJDNJ
4⤵
- Runs ping.exe
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46E8.exe
MD5
980e7d040217093ce2eb9aed5ce790bf

SHA1
b045450271010c3ecf28ff580d692c2c4923eb53

SHA256
5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603

SHA512
0e834210c22a3dccbfcdc760e0891ff3658f43f2a08cffc56ab3e31af6528503a13b48bca722a3062f7dd71506eb31386927a002ccfadeec875a7806ae5059c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\46E8.exe
MD5
980e7d040217093ce2eb9aed5ce790bf

SHA1
b045450271010c3ecf28ff580d692c2c4923eb53

SHA256
5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603

SHA512
0e834210c22a3dccbfcdc760e0891ff3658f43f2a08cffc56ab3e31af6528503a13b48bca722a3062f7dd71506eb31386927a002ccfadeec875a7806ae5059c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\46E8.exe
MD5
980e7d040217093ce2eb9aed5ce790bf

SHA1
b045450271010c3ecf28ff580d692c2c4923eb53

SHA256
5dae4ad5883f35a90cf0388416e9c31a2c75f7cd047301513947dc33672b9603

SHA512
0e834210c22a3dccbfcdc760e0891ff3658f43f2a08cffc56ab3e31af6528503a13b48bca722a3062f7dd71506eb31386927a002ccfadeec875a7806ae5059c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5437.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\5437.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACC8.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACC8.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACC8.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B555.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B555.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF58.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF58.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD92.exe
MD5
2e19613dc4b7b13c47312bfdf4ec399c

SHA1
6809a37a40a224029f07c62c6308121e5d84290d

SHA256
ed7edd291d4c2cc21f2c75af41f1d32b2e6ae6973236d1715d83f01c76811021

SHA512
b939889905b7c28b217946b2185da12098ac45d0d6fe602253644d2d30f9d6c8db753c84df5cd6548c2a3b390b1c69915735240864ea0e722bfeaec05aeb620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD92.exe
MD5
2e19613dc4b7b13c47312bfdf4ec399c

SHA1
6809a37a40a224029f07c62c6308121e5d84290d

SHA256
ed7edd291d4c2cc21f2c75af41f1d32b2e6ae6973236d1715d83f01c76811021

SHA512
b939889905b7c28b217946b2185da12098ac45d0d6fe602253644d2d30f9d6c8db753c84df5cd6548c2a3b390b1c69915735240864ea0e722bfeaec05aeb620a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E580.exe
MD5
a9bc4aeb94664b8938a00b5301225d7a

SHA1
9a0ecb70fc029faeb968de0e639537d6baf525e4

SHA256
94e99f4dbbf9739b71ee8dad26651b8cd01cd3c5bb6eb97da26d88991351cf6b

SHA512
3382be368a3d4fc9cf3016dc2bcfc0eb6bf3345ba644441b2e1d8b4f37831216681b5c18e8692c3ea96f1b12df52255dffcc2ab85e5068609cc573b0ff98988c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E580.exe
MD5
a9bc4aeb94664b8938a00b5301225d7a

SHA1
9a0ecb70fc029faeb968de0e639537d6baf525e4

SHA256
94e99f4dbbf9739b71ee8dad26651b8cd01cd3c5bb6eb97da26d88991351cf6b

SHA512
3382be368a3d4fc9cf3016dc2bcfc0eb6bf3345ba644441b2e1d8b4f37831216681b5c18e8692c3ea96f1b12df52255dffcc2ab85e5068609cc573b0ff98988c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B
MD5
9c8b1ff7225c8a2a275da1429a4def68

SHA1
327b06f14e19ea05ea4098a876e791957ab5564e

SHA256
d8cae76147cc93bd2bbbd286e773e9bff830ed53982c13634ac2aea102d39e48

SHA512
64e7549f98674882724a190057bc2e34c77ff89b137ae33d98c26944507179d60d9d784e4240e4e89d1dfc5ddfe10a7c6b3c687551f6671caebb36c45b12e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.vsd
MD5
b244d053acb999b59be3eba3e2d082d5

SHA1
0cf0b6dce77473217b49e6728d93433ccbcefe4e

SHA256
c9348064a4b8f7fdc331e7953153a6fa57b2d5763638a79116e0d3704c671f69

SHA512
f4f44e5fa2fe3b1d6999bde94a39c5acb430a1cac4549eb1f57218437e4252ea077ab5797fdd73ad7a8b0e162aa41b0a07cf82feb31821ab35d425e09365101b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confronto.vsd
MD5
991bf94339253ad1a6c45684affb3814

SHA1
5055c39fd2ed129a2687bb334a79e9d7f3d76f83

SHA256
94e1685a4ea5fdca28260d8c7a187c8d2647955346afa08ef766ca090208081d

SHA512
2ca36a2601c2167ac6f7cf45ee2a8c60f299f880642009e3a580dacc1a3eb4ac1c6ae07817aeb02c54d947272dff17f53667c05983c6259652c708dc9697fbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Istante.vsd
MD5
9c8b1ff7225c8a2a275da1429a4def68

SHA1
327b06f14e19ea05ea4098a876e791957ab5564e

SHA256
d8cae76147cc93bd2bbbd286e773e9bff830ed53982c13634ac2aea102d39e48

SHA512
64e7549f98674882724a190057bc2e34c77ff89b137ae33d98c26944507179d60d9d784e4240e4e89d1dfc5ddfe10a7c6b3c687551f6671caebb36c45b12e165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritroverai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/676-120-0x0000000000000000-mapping.dmp

Download
memory/676-127-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/948-168-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/948-135-0x0000000000000000-mapping.dmp

Download
memory/948-156-0x00000000005E1000-0x0000000000647000-memory.dmp

Filesize
408KB

Download
memory/980-229-0x0000000000000000-mapping.dmp

Download
memory/1040-224-0x0000000000000000-mapping.dmp

Download
memory/1320-210-0x0000000000000000-mapping.dmp

Download
memory/1340-231-0x0000000000000000-mapping.dmp

Download
memory/1404-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-118-0x0000000000402F47-mapping.dmp

Download
memory/1624-214-0x0000000000000000-mapping.dmp

Download
memory/1636-215-0x0000000000000000-mapping.dmp

Download
memory/1700-191-0x0000000004EB0000-0x0000000004F3F000-memory.dmp

Filesize
572KB

Download
memory/1700-190-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1700-189-0x000000000351C000-0x000000000356B000-memory.dmp

Filesize
316KB

Download
memory/1700-203-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1700-183-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1700-159-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1700-172-0x0000000000456A80-mapping.dmp

Download
memory/2172-208-0x0000000000000000-mapping.dmp

Download
memory/2264-192-0x00000000007F8000-0x0000000000847000-memory.dmp

Filesize
316KB

Download
memory/2264-200-0x0000000000750000-0x00000000007DF000-memory.dmp

Filesize
572KB

Download
memory/2264-201-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2264-186-0x0000000000000000-mapping.dmp

Download
memory/2296-171-0x0000000071A80000-0x0000000071B00000-memory.dmp

Filesize
512KB

Download
memory/2296-164-0x0000000075AF0000-0x0000000075BE1000-memory.dmp

Filesize
964KB

Download
memory/2296-170-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2296-165-0x0000000000EE0000-0x0000000000F27000-memory.dmp

Filesize
284KB

Download
memory/2296-193-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/2296-178-0x0000000074F10000-0x0000000075494000-memory.dmp

Filesize
5.5MB

Download
memory/2296-153-0x0000000000000000-mapping.dmp

Download
memory/2296-158-0x0000000001120000-0x0000000001288000-memory.dmp

Filesize
1.4MB

Download
memory/2296-182-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2296-180-0x0000000076760000-0x0000000077AA8000-memory.dmp

Filesize
19.3MB

Download
memory/2296-166-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2296-185-0x000000006FD40000-0x000000006FD8B000-memory.dmp

Filesize
300KB

Download
memory/2296-161-0x0000000075530000-0x00000000756F2000-memory.dmp

Filesize
1.8MB

Download
memory/2296-160-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2420-152-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/2420-212-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/2420-163-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2420-179-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2420-181-0x000000006FD40000-0x000000006FD8B000-memory.dmp

Filesize
300KB

Download
memory/2420-167-0x0000000076760000-0x0000000077AA8000-memory.dmp

Filesize
19.3MB

Download
memory/2420-194-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2420-195-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/2420-196-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/2420-138-0x0000000000000000-mapping.dmp

Download
memory/2420-154-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2420-141-0x0000000000350000-0x00000000004C5000-memory.dmp

Filesize
1.5MB

Download
memory/2420-151-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2420-150-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2420-149-0x0000000071A80000-0x0000000071B00000-memory.dmp

Filesize
512KB

Download
memory/2420-204-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2420-147-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2420-146-0x0000000075AF0000-0x0000000075BE1000-memory.dmp

Filesize
964KB

Download
memory/2420-211-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/2420-162-0x0000000074F10000-0x0000000075494000-memory.dmp

Filesize
5.5MB

Download
memory/2420-145-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2420-144-0x0000000002610000-0x0000000002653000-memory.dmp

Filesize
268KB

Download
memory/2420-143-0x0000000075530000-0x00000000756F2000-memory.dmp

Filesize
1.8MB

Download
memory/2420-216-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/2420-142-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2528-221-0x0000000000000000-mapping.dmp

Download
memory/2544-133-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/2544-132-0x0000000002BE0000-0x0000000002D2A000-memory.dmp

Filesize
1.3MB

Download
memory/2544-131-0x0000000002BC0000-0x0000000002BC9000-memory.dmp

Filesize
36KB

Download
memory/2544-128-0x0000000000000000-mapping.dmp

Download
memory/2800-134-0x0000000002AF0000-0x0000000002B06000-memory.dmp

Filesize
88KB

Download
memory/2800-119-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2860-125-0x0000000000402F47-mapping.dmp

Download
memory/2984-197-0x0000000000000000-mapping.dmp

Download
memory/3936-219-0x0000000000000000-mapping.dmp

Download
memory/4056-115-0x00000000006E9000-0x00000000006F2000-memory.dmp

Filesize
36KB

Download
memory/4056-116-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download