Analysis
-
max time kernel
58s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
07-08-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe
Resource
win10v2004-20220721-en
General
-
Target
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe
-
Size
5.4MB
-
MD5
2fdb83691dfa4721f534b8b9e826033c
-
SHA1
381fd9c7ed88b97511382cc87b769f02bae4c0aa
-
SHA256
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7
-
SHA512
8d15538d3b6e54592840117d23a694f7c16f2cb7395e3d54f800b135142394ee15aee961e17d834be02fa2019c0e46161bc5dee83ed8ece4557f0b7de0352449
Malware Config
Extracted
raccoon
3d7feaf596b73f06759c9dbaa8490e71
http://146.19.247.151/
Signatures
-
Raccoon Stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1792-62-0x0000000000A10000-0x00000000012A2000-memory.dmp family_raccoon behavioral1/memory/1792-64-0x0000000000A10000-0x00000000012A2000-memory.dmp family_raccoon behavioral1/memory/1792-66-0x0000000000A10000-0x00000000012A2000-memory.dmp family_raccoon behavioral1/memory/1792-67-0x0000000000A10000-0x00000000012A2000-memory.dmp family_raccoon -
Executes dropped EXE 1 IoCs
Processes:
Anydesk.exepid process 1792 Anydesk.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect \Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Anydesk.exe vmprotect behavioral1/memory/1792-62-0x0000000000A10000-0x00000000012A2000-memory.dmp vmprotect behavioral1/memory/1792-64-0x0000000000A10000-0x00000000012A2000-memory.dmp vmprotect behavioral1/memory/1792-66-0x0000000000A10000-0x00000000012A2000-memory.dmp vmprotect behavioral1/memory/1792-67-0x0000000000A10000-0x00000000012A2000-memory.dmp vmprotect -
Loads dropped DLL 4 IoCs
Processes:
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exepid process 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Anydesk.exepid process 1792 Anydesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Anydesk.exepid process 1792 Anydesk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exedescription pid process target process PID 1800 wrote to memory of 1792 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe Anydesk.exe PID 1800 wrote to memory of 1792 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe Anydesk.exe PID 1800 wrote to memory of 1792 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe Anydesk.exe PID 1800 wrote to memory of 1792 1800 b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe Anydesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe"C:\Users\Admin\AppData\Local\Temp\b20218ce17c3ddf455af2367397eda4e28d400484687c9d6b720e6e388a5b6d7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
C:\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
\Users\Admin\AppData\Local\Temp\Anydesk.exeFilesize
5.3MB
MD5edf96608b397834176b2f7a3c505443b
SHA1c7c2e311a32197776029bdb04dfc15cdc9c37cbb
SHA256f33f9182711438fda43ad8bc6ee0d9334e8f6b39089d49556236cad0c2e7454e
SHA512eb1fbf70b1f9e1fc770f04ddb5bda971ac914dc3c20beb47095c8323cee12c4f83d5797ecd24a4ea1a9216b305ff193814a1a415003b445433330b9e18686b29
-
memory/1792-59-0x0000000000000000-mapping.dmp
-
memory/1792-62-0x0000000000A10000-0x00000000012A2000-memory.dmpFilesize
8.6MB
-
memory/1792-64-0x0000000000A10000-0x00000000012A2000-memory.dmpFilesize
8.6MB
-
memory/1792-66-0x0000000000A10000-0x00000000012A2000-memory.dmpFilesize
8.6MB
-
memory/1792-67-0x0000000000A10000-0x00000000012A2000-memory.dmpFilesize
8.6MB
-
memory/1800-54-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB