Analysis
-
max time kernel
80s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-07-2022 06:55
Static task
static1
Behavioral task
behavioral1
Sample
TheOpen_140722.cps.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
TheOpen_140722.cps.exe
Resource
win10v2004-20220414-en
General
-
Target
TheOpen_140722.cps.exe
Malware Config
Extracted
raccoon
54641d75d5de0fc850ef2098e881f4d8
http://51.195.166.175/
Signatures
-
Raccoon Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4360-130-0x00000000009D0000-0x00000000014A8000-memory.dmp family_raccoon behavioral2/memory/4360-132-0x00000000009D0000-0x00000000014A8000-memory.dmp family_raccoon behavioral2/memory/4360-136-0x00000000009D0000-0x00000000014A8000-memory.dmp family_raccoon behavioral2/memory/4360-144-0x00000000009D0000-0x00000000014A8000-memory.dmp family_raccoon -
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2776 Z40Z9P4o.exe 112 Z0JE932N.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation TheOpen_140722.cps.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z0JE932N.exe Z0JE932N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z0JE932N.exe Z0JE932N.exe -
Loads dropped DLL 3 IoCs
pid Process 4360 TheOpen_140722.cps.exe 4360 TheOpen_140722.cps.exe 4360 TheOpen_140722.cps.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\Z0JE932N.exe" Z0JE932N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype Web = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Z0JE932N.exe" Z0JE932N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4360 TheOpen_140722.cps.exe 4360 TheOpen_140722.cps.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 211500 2776 Z40Z9P4o.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4360 TheOpen_140722.cps.exe 4360 TheOpen_140722.cps.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4360 wrote to memory of 2776 4360 TheOpen_140722.cps.exe 86 PID 4360 wrote to memory of 2776 4360 TheOpen_140722.cps.exe 86 PID 4360 wrote to memory of 2776 4360 TheOpen_140722.cps.exe 86 PID 4360 wrote to memory of 112 4360 TheOpen_140722.cps.exe 88 PID 4360 wrote to memory of 112 4360 TheOpen_140722.cps.exe 88 PID 2776 wrote to memory of 211500 2776 Z40Z9P4o.exe 89 PID 2776 wrote to memory of 211500 2776 Z40Z9P4o.exe 89 PID 2776 wrote to memory of 211500 2776 Z40Z9P4o.exe 89 PID 2776 wrote to memory of 211500 2776 Z40Z9P4o.exe 89 PID 2776 wrote to memory of 211500 2776 Z40Z9P4o.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\TheOpen_140722.cps.exe"C:\Users\Admin\AppData\Local\Temp\TheOpen_140722.cps.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Roaming\Z40Z9P4o.exe"C:\Users\Admin\AppData\Roaming\Z40Z9P4o.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:211500
-
-
-
C:\Users\Admin\AppData\Roaming\Z0JE932N.exe"C:\Users\Admin\AppData\Roaming\Z0JE932N.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:112
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
73KB
MD5b4c0bb4c7f5ecb3703c3d542eebe1000
SHA16dd9486d26c68bd00af98de4d27da658dfaa81da
SHA25663bda91a263a1568359ef0bcb80a1303e405607d666a73d2bb3bdc9062871c82
SHA512a316f937b86f6518495c4dca838fb8d43d2547d3fe5ce15fa9cedd0e1a460d4527807aec3ac610f091acb7c97ea7aa4755e3e106f739b29dca899d60695fd776
-
Filesize
73KB
MD5b4c0bb4c7f5ecb3703c3d542eebe1000
SHA16dd9486d26c68bd00af98de4d27da658dfaa81da
SHA25663bda91a263a1568359ef0bcb80a1303e405607d666a73d2bb3bdc9062871c82
SHA512a316f937b86f6518495c4dca838fb8d43d2547d3fe5ce15fa9cedd0e1a460d4527807aec3ac610f091acb7c97ea7aa4755e3e106f739b29dca899d60695fd776
-
Filesize
3.4MB
MD59b86ca22ff7cd3a3366b0f5a92de3719
SHA181918646cf8d74036879879c547c7b0d3ff4bc22
SHA256bc4a3d083a4fc9d70b3c0459993da32a486e57fd87bae84c95b7116eb3ec687c
SHA51235c01a0c3f3494fc56a5ac664f249201f2e5e15978bcebee43d515278aa81bc659cb2dfa889c64b4ba567a09bf4ef6423a8291180373876e523d2895dd596f21
-
Filesize
3.4MB
MD59b86ca22ff7cd3a3366b0f5a92de3719
SHA181918646cf8d74036879879c547c7b0d3ff4bc22
SHA256bc4a3d083a4fc9d70b3c0459993da32a486e57fd87bae84c95b7116eb3ec687c
SHA51235c01a0c3f3494fc56a5ac664f249201f2e5e15978bcebee43d515278aa81bc659cb2dfa889c64b4ba567a09bf4ef6423a8291180373876e523d2895dd596f21