Analysis
-
max time kernel
57s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
06-08-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
2fdb83691dfa4721f534b8b9e826033c.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2fdb83691dfa4721f534b8b9e826033c.exe
Resource
win10v2004-20220721-en
General
-
Target
2fdb83691dfa4721f534b8b9e826033c.exe
-
Size
5.4MB
-
MD5
2fdb83691dfa4721f534b8b9e826033c
-
SHA1
381fd9c7ed88b97511382cc87b769f02bae4c0aa
-
SHA256
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7
-
SHA512
8d15538d3b6e54592840117d23a694f7c16f2cb7395e3d54f800b135142394ee15aee961e17d834be02fa2019c0e46161bc5dee83ed8ece4557f0b7de0352449
Malware Config
Extracted
raccoon
3d7feaf596b73f06759c9dbaa8490e71
http://146.19.247.151/
Signatures
-
Raccoon Stealer payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-62-0x0000000000350000-0x0000000000BE2000-memory.dmp family_raccoon behavioral1/memory/2012-65-0x0000000000350000-0x0000000000BE2000-memory.dmp family_raccoon behavioral1/memory/2012-66-0x0000000000350000-0x0000000000BE2000-memory.dmp family_raccoon -
Executes dropped EXE 1 IoCs
Processes:
Anydesk.exepid process 2012 Anydesk.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect behavioral1/memory/2012-62-0x0000000000350000-0x0000000000BE2000-memory.dmp vmprotect behavioral1/memory/2012-65-0x0000000000350000-0x0000000000BE2000-memory.dmp vmprotect behavioral1/memory/2012-66-0x0000000000350000-0x0000000000BE2000-memory.dmp vmprotect -
Loads dropped DLL 4 IoCs
Processes:
2fdb83691dfa4721f534b8b9e826033c.exepid process 968 2fdb83691dfa4721f534b8b9e826033c.exe 968 2fdb83691dfa4721f534b8b9e826033c.exe 968 2fdb83691dfa4721f534b8b9e826033c.exe 968 2fdb83691dfa4721f534b8b9e826033c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Anydesk.exepid process 2012 Anydesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Anydesk.exepid process 2012 Anydesk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2fdb83691dfa4721f534b8b9e826033c.exedescription pid process target process PID 968 wrote to memory of 2012 968 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe PID 968 wrote to memory of 2012 968 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe PID 968 wrote to memory of 2012 968 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe PID 968 wrote to memory of 2012 968 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fdb83691dfa4721f534b8b9e826033c.exe"C:\Users\Admin\AppData\Local\Temp\2fdb83691dfa4721f534b8b9e826033c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
memory/968-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/2012-59-0x0000000000000000-mapping.dmp
-
memory/2012-62-0x0000000000350000-0x0000000000BE2000-memory.dmpFilesize
8.6MB
-
memory/2012-65-0x0000000000350000-0x0000000000BE2000-memory.dmpFilesize
8.6MB
-
memory/2012-66-0x0000000000350000-0x0000000000BE2000-memory.dmpFilesize
8.6MB