Analysis
-
max time kernel
159s -
max time network
174s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-06-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe
Resource
win10-20220414-en
General
-
Target
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe
-
Size
300KB
-
MD5
5a7d42ef154a45a749d3ab174323f303
-
SHA1
51bbb8e59761636e26c985f230d22d8282917594
-
SHA256
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161
-
SHA512
7a6c2fb849cf6886f6a93f57e00db0159cbe1a9f8a592ce928b8e6cb25c5415b63ec8d55c54da8c32363447587f50721b8fccceaa6c3d91c37c400d72f25b4c7
Malware Config
Extracted
recordbreaker
http://51.195.166.201/
Signatures
-
Raccoon ver2 2 IoCs
Raccoon ver2.
Processes:
resource yara_rule behavioral2/memory/4292-169-0x0000000004790000-0x00000000047A2000-memory.dmp raccoon_v2 behavioral2/memory/4292-172-0x0000000004790000-0x00000000047A2000-memory.dmp raccoon_v2 -
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exedescription pid Process procid_target PID 2280 set thread context of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4520 4292 WerFault.exe 67 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exedescription pid Process Token: SeDebugPrivilege 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exedescription pid Process procid_target PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67 PID 2280 wrote to memory of 4292 2280 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe"C:\Users\Admin\AppData\Local\Temp\20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1923⤵
- Program crash
PID:4520
-
-