Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-06-2022 20:24
General
-
Target
056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe
-
Size
4.5MB
-
MD5
8b816302b43bc9e9b6ac2c694459a420
-
SHA1
d52fc1485c86843bd3e4166ebc1ef4f9a1732579
-
SHA256
056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa
-
SHA512
a7e429e911af551af026f3a18d5845d1d032d5dbd39af17fec94917368c971682742791adff212c3d36e52d0c682a87a5c5262fc2019690e5f07b259738bac5c
Malware Config
Extracted
raccoon
2e76ef3db69c0aaf1af8319ea2bd6e91
http://185.106.94.148/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Possible Drive DDoS Check-in
suricata: ET MALWARE Possible Drive DDoS Check-in
-
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
VMProtect packed file 8 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe"C:\Users\Admin\AppData\Local\Temp\056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3604.exeC:\Users\Admin\AppData\Local\Temp\3604.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\3B06.exeC:\Users\Admin\AppData\Local\Temp\3B06.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\dj.exeC:\Windows\dj.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3604.exeFilesize
4.5MB
MD5ad4bc9bb3745fda3691939c1e8cd6e1d
SHA1d611d64128700f832b9d2fb3f82c13fd14284d68
SHA256a2aa3a54764571120a806a122f914b0653ff281942dc640213b2068be1d912be
SHA512abf9b9822583bfb65cb9c00a500afd5848a21b3b08d94010fcf7f688d2ace9a2fc5065446e2d9c54276d39e63b61887085063bda28a2e3d359efba09c09b547d
-
C:\Users\Admin\AppData\Local\Temp\3604.exeFilesize
4.5MB
MD5ad4bc9bb3745fda3691939c1e8cd6e1d
SHA1d611d64128700f832b9d2fb3f82c13fd14284d68
SHA256a2aa3a54764571120a806a122f914b0653ff281942dc640213b2068be1d912be
SHA512abf9b9822583bfb65cb9c00a500afd5848a21b3b08d94010fcf7f688d2ace9a2fc5065446e2d9c54276d39e63b61887085063bda28a2e3d359efba09c09b547d
-
C:\Users\Admin\AppData\Local\Temp\3B06.exeFilesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
C:\Users\Admin\AppData\Local\Temp\3B06.exeFilesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
C:\Windows\dj.exeFilesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
C:\Windows\dj.exeFilesize
37KB
MD59ab28e7a07bcd4daadb205512c448885
SHA154b27af95a7e537b697ecd5c84d5667aead078fd
SHA256943dae729918b001cb1905ec16c8a541a549e748bf5be02269bbb64205eac570
SHA51266cec35989a09727151879efb60282418f48338ff50494e1858236ffafd4e0f27c23dde5fecb5590ac903954d66ff2a497b229cf45b9c60d8f73bd499c093f35
-
memory/424-144-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-119-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-124-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-125-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-126-0x0000000000400000-0x0000000000B6D000-memory.dmpFilesize
7.4MB
-
memory/424-128-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-127-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-129-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-130-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-131-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-132-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-133-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-134-0x0000000000400000-0x0000000000B6D000-memory.dmpFilesize
7.4MB
-
memory/424-135-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-136-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-137-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-139-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-138-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-140-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-141-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-142-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-143-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-117-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-145-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-147-0x0000000000400000-0x0000000000B6D000-memory.dmpFilesize
7.4MB
-
memory/424-148-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-146-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-149-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-116-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-151-0x0000000000400000-0x0000000000B6D000-memory.dmpFilesize
7.4MB
-
memory/424-150-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-118-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-122-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-123-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-120-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/424-121-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/584-644-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB
-
memory/584-663-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/584-641-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/584-414-0x0000000000000000-mapping.dmp
-
memory/1244-182-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-179-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-185-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-183-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-187-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-180-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-181-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1244-177-0x0000000000000000-mapping.dmp
-
memory/1244-189-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1764-640-0x0000000000550000-0x0000000000559000-memory.dmpFilesize
36KB
-
memory/1764-662-0x0000000000560000-0x0000000000565000-memory.dmpFilesize
20KB
-
memory/1764-369-0x0000000000000000-mapping.dmp
-
memory/1764-638-0x0000000000560000-0x0000000000565000-memory.dmpFilesize
20KB
-
memory/1852-171-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-152-0x0000000000000000-mapping.dmp
-
memory/1852-175-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-176-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-174-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-173-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-172-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-170-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-168-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-167-0x0000000001230000-0x0000000001C80000-memory.dmpFilesize
10.3MB
-
memory/1852-166-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-169-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-546-0x0000000001230000-0x0000000001C80000-memory.dmpFilesize
10.3MB
-
memory/1852-162-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-165-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-156-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-157-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-154-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-155-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-159-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-164-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-158-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-163-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/1852-161-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/2288-408-0x0000000000BE0000-0x0000000000BEB000-memory.dmpFilesize
44KB
-
memory/2288-402-0x0000000000BF0000-0x0000000000BF7000-memory.dmpFilesize
28KB
-
memory/2288-658-0x0000000000BF0000-0x0000000000BF7000-memory.dmpFilesize
28KB
-
memory/2288-184-0x0000000000000000-mapping.dmp
-
memory/2288-190-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/2288-186-0x00000000770F0000-0x000000007727E000-memory.dmpFilesize
1.6MB
-
memory/2320-660-0x0000000001240000-0x0000000001247000-memory.dmpFilesize
28KB
-
memory/2320-459-0x0000000000000000-mapping.dmp
-
memory/2320-493-0x0000000001230000-0x000000000123D000-memory.dmpFilesize
52KB
-
memory/2756-657-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/2756-656-0x0000000000A00000-0x0000000000A08000-memory.dmpFilesize
32KB
-
memory/2756-505-0x0000000000000000-mapping.dmp
-
memory/2756-664-0x0000000000A00000-0x0000000000A08000-memory.dmpFilesize
32KB
-
memory/3232-313-0x0000000000100000-0x000000000010C000-memory.dmpFilesize
48KB
-
memory/3232-308-0x0000000000110000-0x0000000000116000-memory.dmpFilesize
24KB
-
memory/3232-279-0x0000000000000000-mapping.dmp
-
memory/3552-241-0x0000000000000000-mapping.dmp
-
memory/3552-498-0x00000000034B0000-0x00000000034B5000-memory.dmpFilesize
20KB
-
memory/3552-543-0x00000000034A0000-0x00000000034A9000-memory.dmpFilesize
36KB
-
memory/3552-659-0x00000000034B0000-0x00000000034B5000-memory.dmpFilesize
20KB
-
memory/3656-323-0x0000000000000000-mapping.dmp
-
memory/3656-589-0x0000000000430000-0x0000000000452000-memory.dmpFilesize
136KB
-
memory/3656-594-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/3656-661-0x0000000000430000-0x0000000000452000-memory.dmpFilesize
136KB
-
memory/3936-655-0x00000000009D0000-0x00000000009D9000-memory.dmpFilesize
36KB
-
memory/3936-231-0x00000000009C0000-0x00000000009CF000-memory.dmpFilesize
60KB
-
memory/3936-227-0x00000000009D0000-0x00000000009D9000-memory.dmpFilesize
36KB
-
memory/3936-209-0x0000000000000000-mapping.dmp