Analysis
-
max time kernel
78s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
2fdb83691dfa4721f534b8b9e826033c.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2fdb83691dfa4721f534b8b9e826033c.exe
Resource
win10v2004-20220721-en
General
-
Target
2fdb83691dfa4721f534b8b9e826033c.exe
-
Size
5.4MB
-
MD5
2fdb83691dfa4721f534b8b9e826033c
-
SHA1
381fd9c7ed88b97511382cc87b769f02bae4c0aa
-
SHA256
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7
-
SHA512
8d15538d3b6e54592840117d23a694f7c16f2cb7395e3d54f800b135142394ee15aee961e17d834be02fa2019c0e46161bc5dee83ed8ece4557f0b7de0352449
Malware Config
Extracted
raccoon
3d7feaf596b73f06759c9dbaa8490e71
http://146.19.247.151/
Signatures
-
Raccoon Stealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-133-0x00000000007F0000-0x0000000001082000-memory.dmp family_raccoon behavioral2/memory/4648-135-0x00000000007F0000-0x0000000001082000-memory.dmp family_raccoon -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Anydesk.exepid process 4648 Anydesk.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect behavioral2/memory/4648-133-0x00000000007F0000-0x0000000001082000-memory.dmp vmprotect behavioral2/memory/4648-135-0x00000000007F0000-0x0000000001082000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2fdb83691dfa4721f534b8b9e826033c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 2fdb83691dfa4721f534b8b9e826033c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Anydesk.exepid process 4648 Anydesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Anydesk.exepid process 4648 Anydesk.exe 4648 Anydesk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2fdb83691dfa4721f534b8b9e826033c.exedescription pid process target process PID 2844 wrote to memory of 4648 2844 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe PID 2844 wrote to memory of 4648 2844 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe PID 2844 wrote to memory of 4648 2844 2fdb83691dfa4721f534b8b9e826033c.exe Anydesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fdb83691dfa4721f534b8b9e826033c.exe"C:\Users\Admin\AppData\Local\Temp\2fdb83691dfa4721f534b8b9e826033c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
memory/4648-130-0x0000000000000000-mapping.dmp
-
memory/4648-133-0x00000000007F0000-0x0000000001082000-memory.dmpFilesize
8.6MB
-
memory/4648-135-0x00000000007F0000-0x0000000001082000-memory.dmpFilesize
8.6MB