Analysis
-
max time kernel
4294182s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
13-03-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
e86f1cd73f0be7895872a04dcdfb7766.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
e86f1cd73f0be7895872a04dcdfb7766.exe
Resource
win10v2004-en-20220113
General
-
Target
e86f1cd73f0be7895872a04dcdfb7766.exe
-
Size
518KB
-
MD5
e86f1cd73f0be7895872a04dcdfb7766
-
SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a
-
SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3
-
SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab
Malware Config
Extracted
raccoon
ccba3157b9f42051adf38fbb8f5d0aca7f2b7366
-
url4cnc
http://185.163.204.81/nui8xtgen
http://194.180.191.33/nui8xtgen
http://174.138.11.98/nui8xtgen
http://194.180.191.44/nui8xtgen
http://91.219.236.120/nui8xtgen
https://t.me/nui8xtgen
Signatures
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1924 856 WerFault.exe e86f1cd73f0be7895872a04dcdfb7766.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e86f1cd73f0be7895872a04dcdfb7766.exedescription pid process target process PID 856 wrote to memory of 1924 856 e86f1cd73f0be7895872a04dcdfb7766.exe WerFault.exe PID 856 wrote to memory of 1924 856 e86f1cd73f0be7895872a04dcdfb7766.exe WerFault.exe PID 856 wrote to memory of 1924 856 e86f1cd73f0be7895872a04dcdfb7766.exe WerFault.exe PID 856 wrote to memory of 1924 856 e86f1cd73f0be7895872a04dcdfb7766.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e86f1cd73f0be7895872a04dcdfb7766.exe"C:\Users\Admin\AppData\Local\Temp\e86f1cd73f0be7895872a04dcdfb7766.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 4082⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-54-0x00000000005EE000-0x000000000063E000-memory.dmpFilesize
320KB
-
memory/856-56-0x00000000005EE000-0x000000000063E000-memory.dmpFilesize
320KB
-
memory/856-55-0x0000000075CA1000-0x0000000075CA3000-memory.dmpFilesize
8KB
-
memory/856-57-0x0000000000340000-0x00000000003D2000-memory.dmpFilesize
584KB
-
memory/856-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB