Overview

overview

10

Static

static

3

24.exe

windows7_x64

7

24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4265102s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-01-2022 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24.exe

  • Size

    7.0MB

  • MD5

    ae6510d9815c44a818f722ecae6844b8

  • SHA1

    2a34b5110f5c3c2424ae9685f57261e2546bd963

  • SHA256

    c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

  • SHA512

    8caa9e661403d5d86f69e7c35e45cdf927ef9ec0c6045ed2ca5af2eaaf26b4f99291eadaf2f0c8c00a31b05b228c6df0c4bd205a7b3ec70e263313a08ffef4f8

Score
10/10
loaderbotraccoonloaderminerpersistencestealer

Malware Config

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • LoaderBot executable 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\24.exe
      "C:\Users\Admin\AppData\Local\Temp\24.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\111.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\AppData\Local\Temp\111.exe
          C:\Users\Admin\AppData\Local\Temp\111.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 908
            5⤵
            • Program crash
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1504
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Users\Admin\AppData\Local\Temp\2.exe
          C:\Users\Admin\AppData\Local\Temp\2.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:372
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:868
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 868 -s 756
              6⤵
              • Program crash
              PID:1316
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3512 -ip 3512
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:868
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1244
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 420 -p 868 -ip 868
    1⤵
      PID:1920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/372-180-0x00000000001D0000-0x0000000000616000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/372-181-0x00000000001D0000-0x0000000000616000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/372-185-0x0000000003270000-0x0000000003271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/372-172-0x00000000001D0000-0x0000000000616000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/372-171-0x00000000001D0000-0x0000000000616000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/372-184-0x0000000005580000-0x00000000055E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/372-183-0x00000000764F0000-0x0000000076AA3000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/372-174-0x0000000002750000-0x0000000002751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/372-182-0x0000000072AB0000-0x0000000072B39000-memory.dmp

      Filesize

      548KB

      Download

    • memory/372-177-0x0000000002780000-0x00000000027C5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/372-179-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/868-189-0x00000000001D0000-0x00000000001E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1776-193-0x00000000004F0000-0x0000000000510000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3512-176-0x0000000002A20000-0x0000000002A69000-memory.dmp

      Filesize

      292KB

      Download

    • memory/3512-175-0x0000000000FF0000-0x00000000010B4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3512-173-0x0000000000FF0000-0x00000000010B4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3512-170-0x0000000000FF0000-0x00000000010B4000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3512-178-0x0000000000C50000-0x0000000000C52000-memory.dmp

      Filesize

      8KB

      Download