Overview

overview

10

Static

static

URLScan

urlscan

1

https://cdn.discorda...

windows7_x64

10

https://cdn.discorda...

windows10-2004_x64

1

Analysis

  • max time kernel
    409s
  • max time network
    437s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-05-2022 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/939583004387471483/952319283906617374/GIFT_VOUCHER.zip

Score
10/10
raccoon7994c54742ba2370446cc758f5e797d4fefc8347stealer

Malware Config

Extracted

Family

raccoon

Botnet

7994c54742ba2370446cc758f5e797d4fefc8347

Attributes
  • url4cnc

    http://85.159.212.113/darnerd00m

    http://185.163.204.81/darnerd00m

    http://194.180.191.33/darnerd00m

    http://174.138.11.98/darnerd00m

    http://194.180.191.44/darnerd00m

    http://91.219.236.120/darnerd00m

    https://t.me/darnerd00m

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/939583004387471483/952319283906617374/GIFT_VOUCHER.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2016
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1a8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\GIFT_VOUCHER\" -spe -an -ai#7zMap25581:86:7zEvent25050
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2012
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    "C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr" /S
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
      C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
      2⤵
      • Executes dropped EXE
      PID:476
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    "C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr" /S
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
      C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
      2⤵
      • Executes dropped EXE
      PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    58785b917f8c67a1c77cfcbcc0a9071a

    SHA1

    8d83339ba433bdd5cbf24e738519d9e1fcc9fc2a

    SHA256

    e2c1bb2d2dc46710ab57ec40ad342445a5185149d1d2f793e741c6e6b6dfd5a8

    SHA512

    7d7c42fa56f0e443f570a3ea158d1556a03da0c90e9ae3fc74e05793f15f2921b366f4564bde85b831a961f625a35bf58c52f45022db46bc0d1e8f9310910f3c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZOML4N00.txt
    Filesize

    602B

    MD5

    59eb00064364f6879ed376fed1a2abd9

    SHA1

    241c90f8d21c43cbbf76e01ad4a7df4f1186a287

    SHA256

    7172a3467442a5480499e254cc693df11b1d5502c31001c12acb9faa37da03bc

    SHA512

    c38689d2b54a0b783a5fc908bc227618e7ba6ec69e2d68f2b6f756e64439aab8b6cea1d449f4f7287294935b21633cad1e06b175f64bb92767bfc761a0f91ee7

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER.zip.y1kpqfz.partial
    Filesize

    1.8MB

    MD5

    9101462b86e488032f9cc335337dd817

    SHA1

    6a69416c11d5b979c21391b09cee5da559ce7a2d

    SHA256

    cf7f7f7faa54a5cffd2e688f06e9eb4767e3a5b06aba5b3a68391bede91a1c2a

    SHA512

    0623679e641693ad92555d6ca103614ac706826795eb1585007236e7baf675084432eb160b288504fc8a2ec0e38bb0aedca003836af9fcf689a37d7465d0b929

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    Filesize

    3.0MB

    MD5

    ddcbde41f3a93c2bad710d35ed701b78

    SHA1

    75d02a20ea0c6bc59294d11046ee0e85a9f20c5f

    SHA256

    65b7e35c4ca55c51e8d9c863c39d535858b3056dcf43014f3abbf2658e1b078b

    SHA512

    54137c59bc30462ca346feba194a957dd2c7845c52f986ddc5437be5a70916c36ca0d89df3f65c8ceb933ff792b27c5860ff697682199bceb08bc93c44ce61a3

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    Filesize

    3.0MB

    MD5

    ddcbde41f3a93c2bad710d35ed701b78

    SHA1

    75d02a20ea0c6bc59294d11046ee0e85a9f20c5f

    SHA256

    65b7e35c4ca55c51e8d9c863c39d535858b3056dcf43014f3abbf2658e1b078b

    SHA512

    54137c59bc30462ca346feba194a957dd2c7845c52f986ddc5437be5a70916c36ca0d89df3f65c8ceb933ff792b27c5860ff697682199bceb08bc93c44ce61a3

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    Filesize

    3.0MB

    MD5

    ddcbde41f3a93c2bad710d35ed701b78

    SHA1

    75d02a20ea0c6bc59294d11046ee0e85a9f20c5f

    SHA256

    65b7e35c4ca55c51e8d9c863c39d535858b3056dcf43014f3abbf2658e1b078b

    SHA512

    54137c59bc30462ca346feba194a957dd2c7845c52f986ddc5437be5a70916c36ca0d89df3f65c8ceb933ff792b27c5860ff697682199bceb08bc93c44ce61a3

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    Filesize

    3.0MB

    MD5

    ddcbde41f3a93c2bad710d35ed701b78

    SHA1

    75d02a20ea0c6bc59294d11046ee0e85a9f20c5f

    SHA256

    65b7e35c4ca55c51e8d9c863c39d535858b3056dcf43014f3abbf2658e1b078b

    SHA512

    54137c59bc30462ca346feba194a957dd2c7845c52f986ddc5437be5a70916c36ca0d89df3f65c8ceb933ff792b27c5860ff697682199bceb08bc93c44ce61a3

    Download Submit
  • C:\Users\Admin\Downloads\GIFT_VOUCHER\gift_voucher_100$.pdf.scr
    Filesize

    3.0MB

    MD5

    ddcbde41f3a93c2bad710d35ed701b78

    SHA1

    75d02a20ea0c6bc59294d11046ee0e85a9f20c5f

    SHA256

    65b7e35c4ca55c51e8d9c863c39d535858b3056dcf43014f3abbf2658e1b078b

    SHA512

    54137c59bc30462ca346feba194a957dd2c7845c52f986ddc5437be5a70916c36ca0d89df3f65c8ceb933ff792b27c5860ff697682199bceb08bc93c44ce61a3

    Download Submit
  • memory/476-74-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-80-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-66-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-65-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-68-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-70-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-72-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/476-75-0x0000000000440D8F-mapping.dmp
    Download
  • memory/476-79-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/588-82-0x00000000009C0000-0x0000000000A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1592-99-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1592-94-0x0000000000440D8F-mapping.dmp
    Download
  • memory/1888-62-0x00000000059A0000-0x0000000005A4C000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1888-60-0x00000000009C0000-0x0000000000A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1888-61-0x0000000074E91000-0x0000000074E93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1888-63-0x0000000005390000-0x0000000005406000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1888-64-0x0000000000B90000-0x0000000000BDC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2012-57-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp
    Filesize

    8KB

    Download