raccoon | 78bcdef2a920a1927fee569803826bae3425e507d354eac71136b2a103abdb24

Analysis

max time kernel
128s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
29-07-2022 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

305KB
MD5

d89d3c3cea154915a742bf8b52abe43d
SHA1

acb97f43a1e6e8602e8d12418e5b5b71a2a1b083
SHA256

78bcdef2a920a1927fee569803826bae3425e507d354eac71136b2a103abdb24
SHA512

344cce22843772d22e37d543d698498e335048e3fe9f07bcf380b99f26f53847ab25c185f3ec4ed2319d738c9dfe3b71ce4f70f93d971dc4f13ceafbe1f260bf

Score

10^/10

raccoon 832badce9b2e1756260c5ffcba9a576f evasion spyware stealer themida

Malware Config

Extracted

Family

raccoon

Botnet

832badce9b2e1756260c5ffcba9a576f

http://51.195.166.175/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3060-151-0x0000000000840000-0x0000000000D40000-memory.dmp	family_raccoon
behavioral2/memory/3060-181-0x0000000000840000-0x0000000000D40000-memory.dmp	family_raccoon
behavioral2/memory/3060-227-0x0000000000840000-0x0000000000D40000-memory.dmp	family_raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Video_29072022_1080p.scr

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Video_29072022_1080p.scr
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

NuZfPD6r.exe

pid process

2444 NuZfPD6r.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Video_29072022_1080p.scr

pid	process
2444	NuZfPD6r.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Video_29072022_1080p.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Video_29072022_1080p.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Video_29072022_1080p.scr

Loads dropped DLL 3 IoCs

Processes:

Video_29072022_1080p.scr

pid process

3060 Video_29072022_1080p.scr
3060 Video_29072022_1080p.scr
3060 Video_29072022_1080p.scr

pid	process
3060	Video_29072022_1080p.scr
3060	Video_29072022_1080p.scr
3060	Video_29072022_1080p.scr

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3060-124-0x0000000000840000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/3060-150-0x0000000000840000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/3060-151-0x0000000000840000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/3060-181-0x0000000000840000-0x0000000000D40000-memory.dmp	themida
behavioral2/memory/3060-227-0x0000000000840000-0x0000000000D40000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Video_29072022_1080p.scr

pid process

3060 Video_29072022_1080p.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

NuZfPD6r.exe

description pid process target process

PID 2444 set thread context of 166464 2444 NuZfPD6r.exe AppLaunch.exe

pid	process
3060	Video_29072022_1080p.scr

description	pid	process	target process
PID 2444 set thread context of 166464	2444	NuZfPD6r.exe	AppLaunch.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 019e5ad3d79ad801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "365912231"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30974793"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a4ca1249a3d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "365880239"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30974793"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "207776432"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "68481854"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{A4D7D641-1197-422C-A621-3230AEEB4201}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30974793"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d930c3c4e97c6419efe7c203d3294e800000000020000000000106600000001000020000000607899bea12125bc0ae817d45c24b06bc3a72c72852553c6d94ee109381949e1000000000e80000000020000200000008c96603333d4a0601a741c608e1ee5006e92a9d4c8d5dae9b0904647479a434120000000118b4edcbe389d09b45188b1eb0eb07f2b06e2f3d287b8509a63605d6aeaaaa840000000422350e1b1ea5dc2d6afbb5b583ad8c98ead8b68188f169fdb31eeced50ee765f07ae8aca141d089d850d3f01dc143e79898d97b376ed0095acbf8049c9f297f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002d930c3c4e97c6419efe7c203d3294e8000000000200000000001066000000010000200000000b40e82a35182e90091c146847a04bb68509a5a020b0f12fc9a48081f464b903000000000e8000000002000020000000cc20d5255607bb1089eb0d3cc85ec7f707ccc301755dc7ed3cdbd26d199600dc2000000080f402f6ee0064f7a6c349739dc0dadff34bfc5ad2be27a376ce8765cc5bc2dc400000007d3ad4355242aa0269056b3b41037117add68ce2213ed97e5eafd2f44d17b976df349ef929ed18345a31e86b5c3e2802e6d02ba6dec41a0a0ff7c44b1e839cb0	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "68481854"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2EDCB90E-0F3C-11ED-9B72-76D180D1B6CA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "207776432"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e22a1249a3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365863644"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30974793"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Video_29072022_1080p.scr

pid process

3060 Video_29072022_1080p.scr
3060 Video_29072022_1080p.scr
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3868 iexplore.exe
3868 iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings	iexplore.exe

pid	process
3060	Video_29072022_1080p.scr
3060	Video_29072022_1080p.scr

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
3868	iexplore.exe
3868	iexplore.exe
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3868	iexplore.exe
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE
3456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

iexplore.exeVideo_29072022_1080p.scrNuZfPD6r.exe

description	pid	process	target process
PID 3868 wrote to memory of 3456	3868	iexplore.exe	IEXPLORE.EXE
PID 3868 wrote to memory of 3456	3868	iexplore.exe	IEXPLORE.EXE
PID 3868 wrote to memory of 3456	3868	iexplore.exe	IEXPLORE.EXE
PID 3060 wrote to memory of 2444	3060	Video_29072022_1080p.scr	NuZfPD6r.exe
PID 3060 wrote to memory of 2444	3060	Video_29072022_1080p.scr	NuZfPD6r.exe
PID 3060 wrote to memory of 2444	3060	Video_29072022_1080p.scr	NuZfPD6r.exe
PID 2444 wrote to memory of 166464	2444	NuZfPD6r.exe	AppLaunch.exe
PID 2444 wrote to memory of 166464	2444	NuZfPD6r.exe	AppLaunch.exe
PID 2444 wrote to memory of 166464	2444	NuZfPD6r.exe	AppLaunch.exe
PID 2444 wrote to memory of 166464	2444	NuZfPD6r.exe	AppLaunch.exe
PID 2444 wrote to memory of 166464	2444	NuZfPD6r.exe	AppLaunch.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:288

C:\Users\Admin\Downloads\Video_29072022_1080p\Video_29072022_1080p.scr
"C:\Users\Admin\Downloads\Video_29072022_1080p\Video_29072022_1080p.scr" /S
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\NuZfPD6r.exe
"C:\Users\Admin\AppData\Roaming\NuZfPD6r.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:166464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
Filesize
631B

MD5
7515e21f59ff1aadff6f6a1a0d105c2b

SHA1
5264c5e2334a57d8669d31c67325a9b166e53bef

SHA256
55a7640579a0e6c0bc2388063710e5cc3120b4df0840ec8a7af9a4bdc9235029

SHA512
88053a0584ae8581f6003c86b6370441082dd500a6576e390aabd83876f5be2aa09db1990685b12c9c783ed6a58f4583b4ef6af41c7da0ee28ad8151e7a7d3ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
1KB

MD5
a81a34dcfa4717af029396de5bbaf7e6

SHA1
51ff0a95dfb1b7f74d6f9595853f04931e57006b

SHA256
1c2e613661ef28f0b6edac8f3dfd217dbdeb80fa789aaa7c6388749db8f71449

SHA512
0fd8ecb3666e63c3ff7e4827930bc561309bf3fd385b4ab4b0978fa1367de8f0d0993a85dabcc275b22acd39291433349e1bacaaa4d9111d02d1f98a91103cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
ab2a2fd1e3eb737eb930ce6e5a17a10f

SHA1
3390ae633eeddf1de3a92100612715607b1e2061

SHA256
efccce4b24557c96dd9a1aa4e25253447281b2d382790223f355463bd2333301

SHA512
20abdbed3a361919a12420ed6ad622450f76a0ac9da8295aa2505d641585a022a09e0a7f07e485b4ebe8002255add6da9b2d94f150c9a1c82bf8bae0337542ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
58b8981d46a7f547cbcb5bb042509c96

SHA1
b4faccaddf44e559bdc14bda7f9d2f8bd19126d3

SHA256
c2494e423a4a8f6c657959fe10ea683f0ed6e4d261df9d970f28a5424b6049e2

SHA512
db48258bed6896ee313f2c8d5b27e1ce88a54fa15fbd6e2cbef6a65f5e3d25cf7529c15086af68fe09e21c1206aef4240cc99c54c6d7c069ea89a41e2150a3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize
240B

MD5
e75c5a93f6a51b1fc225fe18bdbba795

SHA1
0b663df68ed512b204e030205ab0cc967ba89bc9

SHA256
8f1a4b69716e0c353883d51d7d8c82ae05b983cb2a9fd1a86885f784214e4ddb

SHA512
92c3d88b977e364e4b89162c703a1d234f8befff514874bbd61ac14c678d76a8a40e5a070d7c4e03b8236d5ba0a5af9bdaa33c2eefd119004e3fe2e224aa315b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F
Filesize
442B

MD5
5318026d26b43cd74b4642a8216ac075

SHA1
acdf1aebb53a4cb02e0ed3c21fe51f69f0fd8d4e

SHA256
1bf434396cd9a04215519b8a510949eca5eb7cdd670d1dc0f503309874ae9510

SHA512
803b25fb84cdc93c3cfb53876a810194294e1dc13c071983afbe572cf274f3e0638ffaf81a32247e1eb0cae68ff1472102d65a8ec1ccfa02ab5a3a1fea750a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
3e7b191b5101983f31f469ac35d73991

SHA1
004436bb098408b5db597818bf54b384bc0fa442

SHA256
d7457d85510c01cb44ad2127fbcb6ae7b66b2f9301bb4bad2e15dda7675df526

SHA512
796607cfcf27a9218b17c83a3112a703cebd0c3068e631d2d2c0456e1da41823656e2f08754af0d4b07fd797f222a24d71d719770aa833735dfc3aca92c31291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
54c45c6d3d826778f7df97ebf1f5c8f3

SHA1
160ca29bbac2655a4aec20a55309e9b184b02b99

SHA256
156466b5ab3747a6d509591866d9894c71a5ee487d5caef8cbb9be4e5917972e

SHA512
7d3d21f90b8c5548fec95087dfc0eedc39440480b15b5546f589b9271183354d4611ae187780aaec949ebc0ff2e2ddce9534e3c43884c7ccce2d5de3593d90bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L670WVSZ.cookie
Filesize
610B

MD5
bfd6fa30fc95edda45c2398052943c37

SHA1
a2650824353678f30c02fc168d7abd2666a7e9f3

SHA256
be450fb3323a9244c438b17ce9841d01e4878ce356127e779293a6beb513a831

SHA512
d87ab3688528155f52464e49ca38df5a8c7c4005ef15ebea742c5e9bac9e4d9433306daa337b473a56c5c7f764b8d5e19586acdbe06e3044f9470cf2301965a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VG0YBSJ9.cookie
Filesize
610B

MD5
9cb846f8792a210d32910a60a27e3fb2

SHA1
b224e6e7455c5f883e88bcbd746d0fefef013f4d

SHA256
4ac7ac99fd8c05c76b8c68f12a154d23ce805fd9c7ea2f0b68635ade0ab7f267

SHA512
ebda909188439efd82d6b15e3296678318397321f07711a6dafb6d9533f010fdd9ce786f617a5e48bdf9eae63c2dcc92556b622f0a227640cf21ccf81f0fe1fa

Download Submit
C:\Users\Admin\AppData\Roaming\NuZfPD6r.exe
Filesize
3.3MB

MD5
a3bbbce423ed7527bca7062cdc050e49

SHA1
f44e9c2fe185099484e978a1f6edd1c5553dcdb8

SHA256
8bd96f5b6c54950b9bac1380c9709e1670d0387e2b15abfea8321b1fb73bad90

SHA512
2b2894c89b5c259996077359c99941a1f2d5fbc91144bbc50a433f6629571d3d465e4d6e27c51765bfa3dc5e67e4ff1375aeada2fee529158dca33495d1bc730

Download Submit
C:\Users\Admin\AppData\Roaming\NuZfPD6r.exe
Filesize
3.3MB

MD5
a3bbbce423ed7527bca7062cdc050e49

SHA1
f44e9c2fe185099484e978a1f6edd1c5553dcdb8

SHA256
8bd96f5b6c54950b9bac1380c9709e1670d0387e2b15abfea8321b1fb73bad90

SHA512
2b2894c89b5c259996077359c99941a1f2d5fbc91144bbc50a433f6629571d3d465e4d6e27c51765bfa3dc5e67e4ff1375aeada2fee529158dca33495d1bc730

Download Submit
C:\Users\Admin\Downloads\Video_29072022_1080p.zip.zb7d00e.partial
Filesize
5.7MB

MD5
ff54ada00f58826b6dd17f776183f0c0

SHA1
5e837885cef4c3b18a572280074ee3aa740eb3e4

SHA256
695df1930505266fadb521116c40a7eb8c68ebce08d5b67501e262552b834e65

SHA512
9adff3db29e07caf14f10ac2ec504f33f7d688b16a9647d99c1e144eb4e47513ba69872a11425f60fe5637daa99ff660242cbfa5ecdc3dd31671888d18cc0df2

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/2444-212-0x0000000000000000-mapping.dmp

Download
memory/3060-156-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-164-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-133-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-134-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-135-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-136-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-137-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-138-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-140-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-139-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-141-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-142-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-143-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-144-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-145-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-131-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-130-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-148-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-149-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-150-0x0000000000840000-0x0000000000D40000-memory.dmp

Filesize
5.0MB

Download
memory/3060-151-0x0000000000840000-0x0000000000D40000-memory.dmp

Filesize
5.0MB

Download
memory/3060-152-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-153-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-154-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-155-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-126-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-157-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-158-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-159-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-160-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-161-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-162-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-163-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-132-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-165-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-166-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-167-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-168-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-169-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-171-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-129-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-172-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-173-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-127-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-175-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-176-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-178-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-128-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-179-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-180-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-181-0x0000000000840000-0x0000000000D40000-memory.dmp

Filesize
5.0MB

Download
memory/3060-182-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-183-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-184-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-185-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-122-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-125-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-124-0x0000000000840000-0x0000000000D40000-memory.dmp

Filesize
5.0MB

Download
memory/3060-123-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-121-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-120-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-119-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-118-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-117-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-116-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-227-0x0000000000840000-0x0000000000D40000-memory.dmp

Filesize
5.0MB

Download
memory/3060-115-0x0000000077670000-0x00000000777FE000-memory.dmp

Filesize
1.6MB

Download
memory/166464-236-0x0000000000429153-mapping.dmp

Download