Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 11:17
Static task
static1
Behavioral task
behavioral1
Sample
c58ab85e86005430cf8b4eb02d203271.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
c58ab85e86005430cf8b4eb02d203271.exe
Resource
win10-en-20211014
General
-
Target
c58ab85e86005430cf8b4eb02d203271.exe
-
Size
422KB
-
MD5
c58ab85e86005430cf8b4eb02d203271
-
SHA1
2a8c22a93cfaa5b52d70ccba5a86107dd7955673
-
SHA256
5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0
-
SHA512
f6d0d607707b7b3b3b390053c16e60627f5f58329d060caa35513fe2af466a25124d3b89a3eb7d59cacecd1a86071788e9a6a1ccd9115a3f516c7327dab6f5ce
Malware Config
Extracted
raccoon
1.8.3-hotfix
a2337059abb40b184e621b38e62ace3e1a158d50
-
url4cnc
http://94.158.245.137/papatikmikr03
http://91.219.236.27/papatikmikr03
http://94.158.245.167/papatikmikr03
http://185.163.204.216/papatikmikr03
http://185.225.19.238/papatikmikr03
http://185.163.204.218/papatikmikr03
https://t.me/papatikmikr03
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
3010678223.exepid process 3272 3010678223.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c58ab85e86005430cf8b4eb02d203271.execmd.exedescription pid process target process PID 1548 wrote to memory of 3956 1548 c58ab85e86005430cf8b4eb02d203271.exe cmd.exe PID 1548 wrote to memory of 3956 1548 c58ab85e86005430cf8b4eb02d203271.exe cmd.exe PID 1548 wrote to memory of 3956 1548 c58ab85e86005430cf8b4eb02d203271.exe cmd.exe PID 3956 wrote to memory of 3272 3956 cmd.exe 3010678223.exe PID 3956 wrote to memory of 3272 3956 cmd.exe 3010678223.exe PID 3956 wrote to memory of 3272 3956 cmd.exe 3010678223.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58ab85e86005430cf8b4eb02d203271.exe"C:\Users\Admin\AppData\Local\Temp\c58ab85e86005430cf8b4eb02d203271.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3010678223.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3010678223.exe"C:\Users\Admin\AppData\Local\Temp\3010678223.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3010678223.exeMD5
8dd39ca099bb5850e99ac9dd1c0a8679
SHA1c12ce82e5ddea4f5299b5f0de925c7e7e09faa88
SHA256245df6eba42f4085247e9155c66b3e607f724f648da9ec5a673a75a500318e34
SHA51244b5703d00fc84ab2b25f3b58fed233033851c1eb4e642e5fd6e861e68a3122197ed64c3eed6b6c54810f3e2d5f954e83f4c86d509bc97cad98b35ed11235401
-
C:\Users\Admin\AppData\Local\Temp\3010678223.exeMD5
8dd39ca099bb5850e99ac9dd1c0a8679
SHA1c12ce82e5ddea4f5299b5f0de925c7e7e09faa88
SHA256245df6eba42f4085247e9155c66b3e607f724f648da9ec5a673a75a500318e34
SHA51244b5703d00fc84ab2b25f3b58fed233033851c1eb4e642e5fd6e861e68a3122197ed64c3eed6b6c54810f3e2d5f954e83f4c86d509bc97cad98b35ed11235401
-
memory/1548-115-0x0000000000831000-0x000000000085B000-memory.dmpFilesize
168KB
-
memory/1548-116-0x00000000005C0000-0x000000000060A000-memory.dmpFilesize
296KB
-
memory/1548-117-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/3272-119-0x0000000000000000-mapping.dmp
-
memory/3272-122-0x0000000000769000-0x00000000007B8000-memory.dmpFilesize
316KB
-
memory/3272-124-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/3272-123-0x00000000020F0000-0x000000000217F000-memory.dmpFilesize
572KB
-
memory/3956-118-0x0000000000000000-mapping.dmp