Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-07-2022 02:45
General
-
Target
d8392e4d42d9a1c91e08ba2ed4bdd3cc.exe
-
Size
321KB
-
MD5
d8392e4d42d9a1c91e08ba2ed4bdd3cc
-
SHA1
49db632eccf7593fb97f86457ee80876f9c0c89c
-
SHA256
7491a8a4866c578d50f6c0ae8addf97f40ecdf643d2c303b674dfe0dc36ebc13
-
SHA512
4bec5a61aeec62b41aff6ddce7e2b20dc48c28373d152d9844cc81a1621cfc44922b999b5c3e405e0cc49a5729f7a91a2bfa9a6f8c84a8b9d45d87d6dd72602a
Malware Config
Extracted
raccoon
a8c486c1f260c54743b98aa52cbafd02
http://162.33.179.100/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer payload 3 IoCs
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8392e4d42d9a1c91e08ba2ed4bdd3cc.exe"C:\Users\Admin\AppData\Local\Temp\d8392e4d42d9a1c91e08ba2ed4bdd3cc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\755F.exeC:\Users\Admin\AppData\Local\Temp\755F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\99D0.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\99D0.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\5486.exeC:\Users\Admin\AppData\Local\Temp\5486.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6233.exeC:\Users\Admin\AppData\Local\Temp\6233.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\00000029..exe"C:\Users\Admin\AppData\Roaming\00000029..exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\00004823..exe"C:\Users\Admin\AppData\Roaming\00004823..exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\6233.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 3604⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\75EB.exeC:\Users\Admin\AppData\Local\Temp\75EB.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 3602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2444 -ip 24441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 38961⤵
-
C:\Users\Admin\AppData\Local\Temp\8618.exeC:\Users\Admin\AppData\Local\Temp\8618.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\8618.exe" >> NUL2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 3564⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 312 -ip 3121⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 8802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2160 -ip 21601⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
Filesize
503B
MD5ac8718de52aa8fa58d3e2daa305cff99
SHA1574703bb5a2a4474ccedad4af4d17cd5cc29b57e
SHA25687ff5f688a817ada651553c2a13897966c8b44122c7bb5fa2b678c817683574d
SHA512f95343c32b457e33a934f736496086d258a54bf93c30a14b86958944f75d8311202b923c45bf4831aba6d0ea746080d8e7d3bdb0d99069d410c1c36e195c6857
-
Filesize
192B
MD5d50b9fe971ce042ec69238e475b5defb
SHA1a5182c9f4668e6364fae05a4349471a35992e356
SHA2563919f871e1076024a6fed3bd7493ecee8b7587a73ec49ac94851118f86fc6d81
SHA512bf8ff252fce6e9c84540b589805335edb3d7184bdabcccb352eefa3dc2e4da028d67d2484d9349dc4ad7289c13bb50cc55bd1c2fc69b291da05ec1cea3bc8ad4
-
Filesize
552B
MD506133253fd608fbf07e84b29fa495d09
SHA16bfc81ccfdb29903826a374a996456019aa226a5
SHA256838f102ba05602cdefc2bb627536da04735b0e0899d312cc364b25ac2913d9f1
SHA512ae4e878ebb6d99247d948fdf4dc0a6d535c14837ac42437e0e82f7dca991487a7fd07f735619d4f17d7a7300b509eebdd0484feb922839b3b58b4b952e6eddbe
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
219KB
MD537053b57a0722adc24edb9642423f652
SHA11bcad620c40d94ba2926e1bf12e1c255ea2bf342
SHA2563d1e12250e4aaa1eb3619a83eb9c40e05484d4587b1977e67a658f926f9cb690
SHA5126815cb3ada94058b4bbc66ba59dbc66efaf268ad5688a16878790ade93994de2fc22caf0c8b5210bd486bedd95612c1cc32f8044acc1d8768d9ab120cd34aaea
-
Filesize
15KB
MD52a3f53f8d4465003a52ba1ba54b70f6b
SHA118ce95e0b90b7dbd8cef78737ea9a58ab9147248
SHA256c22980115f6078267c7ad73857fc3150c9c9ce514bb05d3367ec65d4ae5ac806
SHA512764638d085fffb5597189b0bc05b2bf2447c10eb2557ed93d170086adac4994adf6170358eff20bcd7876298b8892ae24bc8f3f6ba4bf04deb4d089f0994bf64
-
Filesize
215KB
MD5e110040dcbdeae74895004e412458cb5
SHA1fb0dbc5d4adb0800b61b7af2fec8a6b3bf721874
SHA256c9a297a60352b0cebf37efc7a4644c770029edb5673e2eef59f5fbc473cf6075
SHA5127fb99d27fbd9d2ef3267a4cb16d7ec52f34b8bddc5d263ed5cc53dd274a68aacc7cda1b6f03bdb922b2b93ab5a08cf66683e120d820f42cf349eefe215339694
-
Filesize
215KB
MD5e110040dcbdeae74895004e412458cb5
SHA1fb0dbc5d4adb0800b61b7af2fec8a6b3bf721874
SHA256c9a297a60352b0cebf37efc7a4644c770029edb5673e2eef59f5fbc473cf6075
SHA5127fb99d27fbd9d2ef3267a4cb16d7ec52f34b8bddc5d263ed5cc53dd274a68aacc7cda1b6f03bdb922b2b93ab5a08cf66683e120d820f42cf349eefe215339694
-
Filesize
78KB
MD54cc0184438d530f1a2e3deaa9e413452
SHA1d7123710688162f10d011b5318b50ef4bbddc7a4
SHA2566b302a5e22f26eef8be1b0dc35419b1415a4b8822b0c558ff7f369b248dad2cb
SHA512ed22d68b3d9dee695d3f40893ec9dc70c79347ef3033f9e0e60a26f6ea30f5c87e87157bda9db426a1defeaebcf6806ef76c74a054938dc0d1d034fd15cd463b
-
Filesize
78KB
MD54cc0184438d530f1a2e3deaa9e413452
SHA1d7123710688162f10d011b5318b50ef4bbddc7a4
SHA2566b302a5e22f26eef8be1b0dc35419b1415a4b8822b0c558ff7f369b248dad2cb
SHA512ed22d68b3d9dee695d3f40893ec9dc70c79347ef3033f9e0e60a26f6ea30f5c87e87157bda9db426a1defeaebcf6806ef76c74a054938dc0d1d034fd15cd463b
-
Filesize
1.5MB
MD5f329728b04e9d98d64a0892216e033f4
SHA16585ac4780bd200793b0ce5959302c12302b3ad8
SHA256e559e03d2fabc5545ffbc70c83ac0353638cbd3a598a0bfc2994d4224624416a
SHA5122f9b827e6340373838d91c047e89f3d4b618b5557d3bc19574c90d969b3cdfb50af5102de296774b00dfcfececeb8076ab687434be06baa340b8d10cbfaf7a4f
-
Filesize
1.5MB
MD5f329728b04e9d98d64a0892216e033f4
SHA16585ac4780bd200793b0ce5959302c12302b3ad8
SHA256e559e03d2fabc5545ffbc70c83ac0353638cbd3a598a0bfc2994d4224624416a
SHA5122f9b827e6340373838d91c047e89f3d4b618b5557d3bc19574c90d969b3cdfb50af5102de296774b00dfcfececeb8076ab687434be06baa340b8d10cbfaf7a4f
-
Filesize
308KB
MD590127282173a671b2ccbc302cb6d88ab
SHA18210ad804d37c3befbe953bbc1922b99ae1a3d9c
SHA2565cd6c4e810d5e68ba17ee468bdf60a21a4ce25785d3f86b64724d1f1969d9ab0
SHA5125aa2bd2629289b29e6c1dba9558f15bdafdc376f14dfaff8da93c98a13d228d5ab51c3977e2c845e1929a9060d592ac586e985a5b7b01b4f0ddcbb2ac336e94f
-
Filesize
308KB
MD590127282173a671b2ccbc302cb6d88ab
SHA18210ad804d37c3befbe953bbc1922b99ae1a3d9c
SHA2565cd6c4e810d5e68ba17ee468bdf60a21a4ce25785d3f86b64724d1f1969d9ab0
SHA5125aa2bd2629289b29e6c1dba9558f15bdafdc376f14dfaff8da93c98a13d228d5ab51c3977e2c845e1929a9060d592ac586e985a5b7b01b4f0ddcbb2ac336e94f
-
Filesize
78KB
MD54cc0184438d530f1a2e3deaa9e413452
SHA1d7123710688162f10d011b5318b50ef4bbddc7a4
SHA2566b302a5e22f26eef8be1b0dc35419b1415a4b8822b0c558ff7f369b248dad2cb
SHA512ed22d68b3d9dee695d3f40893ec9dc70c79347ef3033f9e0e60a26f6ea30f5c87e87157bda9db426a1defeaebcf6806ef76c74a054938dc0d1d034fd15cd463b
-
Filesize
78KB
MD54cc0184438d530f1a2e3deaa9e413452
SHA1d7123710688162f10d011b5318b50ef4bbddc7a4
SHA2566b302a5e22f26eef8be1b0dc35419b1415a4b8822b0c558ff7f369b248dad2cb
SHA512ed22d68b3d9dee695d3f40893ec9dc70c79347ef3033f9e0e60a26f6ea30f5c87e87157bda9db426a1defeaebcf6806ef76c74a054938dc0d1d034fd15cd463b
-
Filesize
2.1MB
MD552332e38b53802de405fc1935ec4b2f4
SHA12ec392602e0424f49eca0432cb8e77dc1baa47fb
SHA256ef7597d9c1462797228dac2dfa16724b2dd78c37c29abb89f2109a8897419707
SHA51201d87e94676bddf654a0702dea5a87cbddc40592a16210761f7019d7a5ed23d6185015e65247894b968744bb82239f06d13f3de1302b9aa92de7ec29033ea4d0
-
Filesize
2.1MB
MD552332e38b53802de405fc1935ec4b2f4
SHA12ec392602e0424f49eca0432cb8e77dc1baa47fb
SHA256ef7597d9c1462797228dac2dfa16724b2dd78c37c29abb89f2109a8897419707
SHA51201d87e94676bddf654a0702dea5a87cbddc40592a16210761f7019d7a5ed23d6185015e65247894b968744bb82239f06d13f3de1302b9aa92de7ec29033ea4d0
-
Filesize
2.1MB
MD552332e38b53802de405fc1935ec4b2f4
SHA12ec392602e0424f49eca0432cb8e77dc1baa47fb
SHA256ef7597d9c1462797228dac2dfa16724b2dd78c37c29abb89f2109a8897419707
SHA51201d87e94676bddf654a0702dea5a87cbddc40592a16210761f7019d7a5ed23d6185015e65247894b968744bb82239f06d13f3de1302b9aa92de7ec29033ea4d0
-
Filesize
219KB
MD537053b57a0722adc24edb9642423f652
SHA11bcad620c40d94ba2926e1bf12e1c255ea2bf342
SHA2563d1e12250e4aaa1eb3619a83eb9c40e05484d4587b1977e67a658f926f9cb690
SHA5126815cb3ada94058b4bbc66ba59dbc66efaf268ad5688a16878790ade93994de2fc22caf0c8b5210bd486bedd95612c1cc32f8044acc1d8768d9ab120cd34aaea
-
Filesize
219KB
MD537053b57a0722adc24edb9642423f652
SHA11bcad620c40d94ba2926e1bf12e1c255ea2bf342
SHA2563d1e12250e4aaa1eb3619a83eb9c40e05484d4587b1977e67a658f926f9cb690
SHA5126815cb3ada94058b4bbc66ba59dbc66efaf268ad5688a16878790ade93994de2fc22caf0c8b5210bd486bedd95612c1cc32f8044acc1d8768d9ab120cd34aaea
-
Filesize
15KB
MD52a3f53f8d4465003a52ba1ba54b70f6b
SHA118ce95e0b90b7dbd8cef78737ea9a58ab9147248
SHA256c22980115f6078267c7ad73857fc3150c9c9ce514bb05d3367ec65d4ae5ac806
SHA512764638d085fffb5597189b0bc05b2bf2447c10eb2557ed93d170086adac4994adf6170358eff20bcd7876298b8892ae24bc8f3f6ba4bf04deb4d089f0994bf64
-
Filesize
15KB
MD52a3f53f8d4465003a52ba1ba54b70f6b
SHA118ce95e0b90b7dbd8cef78737ea9a58ab9147248
SHA256c22980115f6078267c7ad73857fc3150c9c9ce514bb05d3367ec65d4ae5ac806
SHA512764638d085fffb5597189b0bc05b2bf2447c10eb2557ed93d170086adac4994adf6170358eff20bcd7876298b8892ae24bc8f3f6ba4bf04deb4d089f0994bf64
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
36KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
5.2MB
-
Filesize
5.2MB
-
Filesize
1.3MB
-
-
Filesize
28KB
-
-
Filesize
28KB
-
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
332KB
-
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
332KB
-
Filesize
64KB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
28KB
-
Filesize
68KB
-
-
Filesize
28KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
-
Filesize
48KB
-
Filesize
764KB
-
Filesize
736KB
-
Filesize
764KB
-
Filesize
1.5MB
-
Filesize
652KB
-
Filesize
2.1MB
-
Filesize
652KB
-
-
Filesize
320KB
-
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
28KB
-
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
-
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
36KB
-
Filesize
56KB
-
-