Analysis
-
max time kernel
421s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 12:05
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20220718-en
General
-
Target
Setup.exe
-
Size
396.0MB
-
MD5
e5e62628c45c3ddb68cb1ac7b1d9ef6b
-
SHA1
52ff4607f24e1f0623682e4d756b5f29bc213ca0
-
SHA256
4830e0dc4af8e724ba266c00e2d8d531cde41ad8836d13c9b9939ba28f7a9888
-
SHA512
b6b3b7208024c18d0ba66d54e39341f0450ba92f3b39012b80fcae89e27e617cfb9ba05b678c3a7d55ecf14b5175e52572773c3ec91b29912df56c09e6d152c9
Malware Config
Extracted
raccoon
8eb14caca01131f5f4ff62ef8a0fcab4
http://5.252.23.112/
http://45.153.230.5/
Signatures
-
Raccoon Stealer payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4716-134-0x0000000000720000-0x0000000000EB7000-memory.dmp family_raccoon behavioral2/memory/4716-135-0x0000000000720000-0x0000000000EB7000-memory.dmp family_raccoon behavioral2/memory/4716-143-0x0000000000720000-0x0000000000EB7000-memory.dmp family_raccoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
t5IvlvGN.exepid process 4992 t5IvlvGN.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Setup.exe -
Loads dropped DLL 3 IoCs
Processes:
Setup.exepid process 4716 Setup.exe 4716 Setup.exe 4716 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4716-130-0x0000000000720000-0x0000000000EB7000-memory.dmp themida behavioral2/memory/4716-131-0x0000000000720000-0x0000000000EB7000-memory.dmp themida behavioral2/memory/4716-132-0x0000000000720000-0x0000000000EB7000-memory.dmp themida behavioral2/memory/4716-134-0x0000000000720000-0x0000000000EB7000-memory.dmp themida behavioral2/memory/4716-135-0x0000000000720000-0x0000000000EB7000-memory.dmp themida behavioral2/memory/4716-143-0x0000000000720000-0x0000000000EB7000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Setup.exet5IvlvGN.exepid process 4716 Setup.exe 4992 t5IvlvGN.exe 4992 t5IvlvGN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1356 schtasks.exe 1992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Setup.exet5IvlvGN.exepid process 4716 Setup.exe 4716 Setup.exe 4716 Setup.exe 4716 Setup.exe 4992 t5IvlvGN.exe 4992 t5IvlvGN.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Setup.exet5IvlvGN.exedescription pid process target process PID 4716 wrote to memory of 4992 4716 Setup.exe t5IvlvGN.exe PID 4716 wrote to memory of 4992 4716 Setup.exe t5IvlvGN.exe PID 4716 wrote to memory of 4992 4716 Setup.exe t5IvlvGN.exe PID 4992 wrote to memory of 1356 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 1356 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 1356 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 3304 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 3304 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 3304 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 1992 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 1992 4992 t5IvlvGN.exe schtasks.exe PID 4992 wrote to memory of 1992 4992 t5IvlvGN.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\t5IvlvGN.exe"C:\Users\Admin\AppData\Roaming\t5IvlvGN.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe/C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\PerfMon\1201824912038.xmlFilesize
1KB
MD5eba51a69e4ea09b5b95e449a2312a383
SHA1abd23da58a04608639d2bc1044d1802d7e5fabf3
SHA256eab1161e2e5fa32d3402864a9802368ee80a31351d430bb8ce09349515fd3fc7
SHA5124ba210b94caaa5fbbd5957222c53734e6ea2d99628474e1ef3d251cb692254d5c3fb36276c89a44daeb0664e91dfccd93335627294c2eb859eb304ff34aae852
-
C:\Users\Admin\AppData\Roaming\t5IvlvGN.exeFilesize
6.6MB
MD5a0f5bd3310c1551cd3d2a603cd274244
SHA14c1e7b2997a3233ee4d33285fb4b6cbe7e7aac2f
SHA25677a1d55bf40b453e6aea080bccffa51207da46dddf385dd4e21acfe697d5a1c9
SHA512678067bf6694054cccf3dc734bfcca8e66aaf04c9b25ca4fa265337fd73faa2df751cf33cc63ce40528f411abfbb093bdc8f180ef60c54580797301f4a9b8877
-
C:\Users\Admin\AppData\Roaming\t5IvlvGN.exeFilesize
6.6MB
MD5a0f5bd3310c1551cd3d2a603cd274244
SHA14c1e7b2997a3233ee4d33285fb4b6cbe7e7aac2f
SHA25677a1d55bf40b453e6aea080bccffa51207da46dddf385dd4e21acfe697d5a1c9
SHA512678067bf6694054cccf3dc734bfcca8e66aaf04c9b25ca4fa265337fd73faa2df751cf33cc63ce40528f411abfbb093bdc8f180ef60c54580797301f4a9b8877
-
memory/1356-146-0x0000000000000000-mapping.dmp
-
memory/1992-149-0x0000000000000000-mapping.dmp
-
memory/3304-148-0x0000000000000000-mapping.dmp
-
memory/4716-136-0x0000000077C30000-0x0000000077DD3000-memory.dmpFilesize
1.6MB
-
memory/4716-135-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4716-134-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4716-132-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4716-130-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4716-133-0x0000000077C30000-0x0000000077DD3000-memory.dmpFilesize
1.6MB
-
memory/4716-143-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4716-144-0x0000000077C30000-0x0000000077DD3000-memory.dmpFilesize
1.6MB
-
memory/4716-131-0x0000000000720000-0x0000000000EB7000-memory.dmpFilesize
7.6MB
-
memory/4992-140-0x0000000000000000-mapping.dmp
-
memory/4992-147-0x0000000000930000-0x0000000001367000-memory.dmpFilesize
10.2MB
-
memory/4992-145-0x0000000000930000-0x0000000001367000-memory.dmpFilesize
10.2MB
-
memory/4992-151-0x0000000000930000-0x0000000001367000-memory.dmpFilesize
10.2MB