Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-06-2022 20:24
General
-
Target
056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe
-
Size
4.5MB
-
MD5
8b816302b43bc9e9b6ac2c694459a420
-
SHA1
d52fc1485c86843bd3e4166ebc1ef4f9a1732579
-
SHA256
056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa
-
SHA512
a7e429e911af551af026f3a18d5845d1d032d5dbd39af17fec94917368c971682742791adff212c3d36e52d0c682a87a5c5262fc2019690e5f07b259738bac5c
Malware Config
Extracted
raccoon
2e76ef3db69c0aaf1af8319ea2bd6e91
http://185.106.94.148/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Possible Drive DDoS Check-in
suricata: ET MALWARE Possible Drive DDoS Check-in
-
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
VMProtect packed file 8 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe"C:\Users\Admin\AppData\Local\Temp\056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3604.exeC:\Users\Admin\AppData\Local\Temp\3604.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\3B06.exeC:\Users\Admin\AppData\Local\Temp\3B06.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\dj.exeC:\Windows\dj.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5ad4bc9bb3745fda3691939c1e8cd6e1d
SHA1d611d64128700f832b9d2fb3f82c13fd14284d68
SHA256a2aa3a54764571120a806a122f914b0653ff281942dc640213b2068be1d912be
SHA512abf9b9822583bfb65cb9c00a500afd5848a21b3b08d94010fcf7f688d2ace9a2fc5065446e2d9c54276d39e63b61887085063bda28a2e3d359efba09c09b547d
-
Filesize
4.5MB
MD5ad4bc9bb3745fda3691939c1e8cd6e1d
SHA1d611d64128700f832b9d2fb3f82c13fd14284d68
SHA256a2aa3a54764571120a806a122f914b0653ff281942dc640213b2068be1d912be
SHA512abf9b9822583bfb65cb9c00a500afd5848a21b3b08d94010fcf7f688d2ace9a2fc5065446e2d9c54276d39e63b61887085063bda28a2e3d359efba09c09b547d
-
Filesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
Filesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
Filesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
Filesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
7.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
7.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
7.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
7.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
20KB
-
-
Filesize
20KB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
10.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
10.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
28KB
-
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
32KB
-
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
24KB
-
-
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-