Analysis
-
max time kernel
4294228s -
max time network
201s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
24-03-2022 06:59
General
-
Target
68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2.exe
-
Size
6.1MB
-
MD5
98ddca23b8741bb9e1e3506a037415e7
-
SHA1
e15026506c80137bda2780244544d170d7e019cc
-
SHA256
68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2
-
SHA512
c5943338e338aefec30ad62abf7fe23b6ff9dcca479a38c12a04bbe55c3f330d81b3317f165fe8430ffad84e9a57e3252a2a175b2779e043522ec98110065697
Malware Config
Extracted
raccoon
1.7.1-hotfix
5eaa41b3101d5537f786a35da1878f0d1d760e53
-
url4cnc
https://telete.in/jbitchsucks
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2.exe"C:\Users\Admin\AppData\Local\Temp\68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2.exe"C:\Users\Admin\AppData\Local\Temp\68bcaf3ea13f3f7f1ad492ab7f4321a402320fb51b5d43ab5bb8bdc45a3bcbf2.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\b6f96cbd-28d1-43bc-88f5-383eb90a6caf\e.dllMD5
14ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
memory/1176-66-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-72-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/1176-81-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-77-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-74-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-63-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-73-0x000000000043FBCC-mapping.dmp
-
memory/1176-68-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-64-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1176-70-0x0000000000760000-0x00000000007F3000-memory.dmpFilesize
588KB
-
memory/1952-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmpFilesize
8KB
-
memory/1952-58-0x0000000000110000-0x0000000000758000-memory.dmpFilesize
6.3MB
-
memory/1952-62-0x0000000000CF0000-0x0000000000CFC000-memory.dmpFilesize
48KB
-
memory/1952-57-0x0000000000110000-0x0000000000758000-memory.dmpFilesize
6.3MB
-
memory/1952-59-0x00000000008F0000-0x0000000000916000-memory.dmpFilesize
152KB