Overview

overview

10

Static

static

Download-0...9.html

windows7-x64

10

Download-0...9.html

windows10-2004-x64

10

Analysis

  • max time kernel
    504s
  • max time network
    510s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2022 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Download-07-04-19.html

  • Size

    6KB

  • MD5

    fdf285faa9ebb125f479f9dcaa460bed

  • SHA1

    11d5c8b9ec3316079eb03b4537d6c7c14726c7ac

  • SHA256

    72a5c757284def375d51e6b90aea5df9ad99d1b7765029ab19a485c8f59dc903

  • SHA512

    7c9f27a8e89713445f51a484ed6f8fb9fc40d15de9ce69a279e4e64a3dc2b121e6e3980f58b1d8f7cf94d4701695eaa356288e87c0570f1010158a8951d06dd0

Score
10/10
raccoon8f4e4706e9b4e3a904862901d32e2123stealer

Malware Config

Extracted

Family

raccoon

Botnet

8f4e4706e9b4e3a904862901d32e2123

C2

http://78.159.97.21/

http://78.159.103.195

http://78.159.103.196
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer payload 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Download-07-04-19.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4480
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:17412 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1508
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3096.0.1937883635\220280769" -parentBuildID 20200403170909 -prefsHandle 1720 -prefMapHandle 1608 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3096 "\\.\pipe\gecko-crash-server-pipe.3096" 1800 gpu
        3⤵
          PID:4844
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3096.3.1595932548\941868320" -childID 1 -isForBrowser -prefsHandle 2416 -prefMapHandle 2448 -prefsLen 78 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3096 "\\.\pipe\gecko-crash-server-pipe.3096" 2372 tab
          3⤵
            PID:3272
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3096.13.949966046\1658813602" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 1552 -prefsLen 6860 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3096 "\\.\pipe\gecko-crash-server-pipe.3096" 3432 tab
            3⤵
              PID:5384
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:6024
          • C:\Users\Admin\Desktop\Software\launch.exe
            "C:\Users\Admin\Desktop\Software\launch.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:5956
          • C:\Users\Admin\Desktop\Software\launch.exe
            "C:\Users\Admin\Desktop\Software\launch.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:5580
          • C:\Users\Admin\Desktop\Software\launch.exe
            "C:\Users\Admin\Desktop\Software\launch.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:648
          • C:\Users\Admin\Desktop\Software\launch.exe
            "C:\Users\Admin\Desktop\Software\launch.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:6772
          • C:\Users\Admin\Desktop\Software\launch.exe
            "C:\Users\Admin\Desktop\Software\launch.exe"
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:6492

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\kt9o6s3\imagestore.dat
            Filesize

            6KB

            MD5

            dabf618b49ecb74e4c523b73123806e0

            SHA1

            9eec0152786ff5495f6d7cf887eeb0fb6d2c148a

            SHA256

            1e9ca63ff58189f410daafc2819830e6ce2e83fd1f0ca223added213bb3a8e37

            SHA512

            7cfd301f6a37ba8c8174241cc440f3ac5fe356559e40e23bfa4afc9ab15151d45c70a78c1204fc046d5499db7331ee81844a226033687fc176568b70a5dff5a1

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0S6OBVY5\favicon[1].ico
            Filesize

            6KB

            MD5

            72f13fa5f987ea923a68a818d38fb540

            SHA1

            f014620d35787fcfdef193c20bb383f5655b9e1e

            SHA256

            37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

            SHA512

            b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

            Download Submit
          • memory/648-142-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/648-140-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5580-139-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5580-150-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5580-137-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5956-135-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5956-136-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5956-133-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/5956-132-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/6492-146-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/6492-148-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/6492-149-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/6772-143-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download
          • memory/6772-145-0x0000000000180000-0x0000000000C2B000-memory.dmp
            Filesize

            10.7MB

            Download