Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 15:27
Static task
static1
Behavioral task
behavioral1
Sample
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe
Resource
win10v2004-20220414-en
General
-
Target
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe
-
Size
720KB
-
MD5
46fe30d98adbf89c395574c7db5f798e
-
SHA1
91bb342409f7e90992945b80c48189a5a1c0a162
-
SHA256
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417
-
SHA512
de61df6961728ffa138727ee2301083d2a4511fd96f0d425e3e9891d962af1923a6efd1fec153ec93388fadd7f547d8279436f6a935252760b419bfa4431e955
Malware Config
Extracted
raccoon
e5c7c06415dbd337f69c6c4ad51ec91ed9c82ab2
-
url4cnc
https://telete.in/bgangster1
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1180-56-0x0000000001D70000-0x0000000001D78000-memory.dmp coreentity -
Raccoon Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-63-0x0000000000400000-0x0000000000490000-memory.dmp family_raccoon behavioral1/memory/1920-65-0x0000000000400000-0x0000000000490000-memory.dmp family_raccoon behavioral1/memory/1920-67-0x0000000000400000-0x0000000000490000-memory.dmp family_raccoon behavioral1/memory/1920-68-0x000000000043F5F5-mapping.dmp family_raccoon behavioral1/memory/1920-71-0x0000000000400000-0x0000000000490000-memory.dmp family_raccoon behavioral1/memory/1920-72-0x0000000000400000-0x0000000000490000-memory.dmp family_raccoon -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1180-54-0x0000000000270000-0x000000000032A000-memory.dmp coreccc -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1180-57-0x0000000005B50000-0x0000000005BEA000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exedescription pid process target process PID 1180 set thread context of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exedescription pid process target process PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe PID 1180 wrote to memory of 1920 1180 a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe"C:\Users\Admin\AppData\Local\Temp\a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a8bd61f636a4840af87c9733790271bcc120a43cd216da3f2e901bf5a9867417.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-54-0x0000000000270000-0x000000000032A000-memory.dmpFilesize
744KB
-
memory/1180-55-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1180-56-0x0000000001D70000-0x0000000001D78000-memory.dmpFilesize
32KB
-
memory/1180-57-0x0000000005B50000-0x0000000005BEA000-memory.dmpFilesize
616KB
-
memory/1920-58-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-59-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-61-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-63-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-65-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-67-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-68-0x000000000043F5F5-mapping.dmp
-
memory/1920-71-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1920-72-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB