raccoon | hxxp://asvajvdyjsxxg[.]top/strong/mix[.]exe

General

Target

http://asvajvdyjsxxg.top/strong/mix.exe

Score

10^/10

raccoon 839b5f035af17fe32dbee0ca113be5fc stealer

Malware Config

Extracted

Family

raccoon

Botnet

839b5f035af17fe32dbee0ca113be5fc

C2

http://89.185.85.53/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1112-56-0x00000000013D0000-0x0000000001E7E000-memory.dmp	family_raccoon
behavioral1/memory/1112-59-0x00000000013D0000-0x0000000001E7E000-memory.dmp	family_raccoon
behavioral1/memory/1112-61-0x00000000013D0000-0x0000000001E7E000-memory.dmp	family_raccoon

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

mix.exe

pid process

1112 mix.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

mix.exe

pid process

1112 mix.exe
1112 mix.exe

pid	process
1112	mix.exe

pid	process
1112	mix.exe
1112	mix.exe

Drops file in Windows directory 2 IoCs

Processes:

iexplore.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	iexplore.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	iexplore.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 706b17eafbabd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40aa87fcfbabd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366820112"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000f45e9bbf2b55fa5005483f1518cf09a3b04086f7b39c19092bb7dc5eafa10f2e000000000e8000000002000020000000a4ceb5e2114f67ca8af335ebca19c9882a242270766ec9168d775d7cbcd7becc2000000003e89ed9df6ee6581698d56d8475accb016a2559f451cc29e5a174d9e1a9833940000000f89ed9573667fb4a4c7d4de6d5fff8e887cdec4bfd87a1906e0c6d554c9590306b50fdf109169e61ba89879c2459f98437e85163b4cca94df820d8dc59a6e2d9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{22C805B1-17EF-11ED-AB08-D6EBA2E337EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f0000000002000000000010660000000100002000000088239819a6474978fef63de229ce4243bf4bfdacc1681d00c238b0e8c4cf9c77000000000e8000000002000020000000fa273052f571d3fd9d06832205c2fd08000687b9904c8d96fe9e1229564e89c7900000009e3bb60bab696dccf1cd5e8c6ac61f63b7243a6c3627f551c44f2b7302f2272d1a58d3b95461a432e02a5f81578496473a7c612403d14ff5ab1d24e0ef654fbf72856d6858fc2a91365a6481425f99f7b840cd3ea56288e8052c441c45e6cf96e67b44a52456c5a989ca4690afd97f0b80fc16e80733698b09dc308c6f15157233e661595d19de12a2fda049c2e7f7a7400000005b2f4dfa9f63bb3d14e800a30d1fb9547391650dd2c961785af49ed10b40728162504c0729f582fd446acec5cef975a094b0abf651698ee13a2036a5c569d73b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 48 IoCs

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_Classes\Local Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

mix.exe

pid process

1112 mix.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1208 iexplore.exe
1208 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1208 iexplore.exe
1208 iexplore.exe
624 IEXPLORE.EXE
624 IEXPLORE.EXE
1208 iexplore.exe

pid	process
1112	mix.exe

pid	process
1208	iexplore.exe
1208	iexplore.exe

pid	process
1208	iexplore.exe
1208	iexplore.exe
624	IEXPLORE.EXE
624	IEXPLORE.EXE
1208	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1208 wrote to memory of 624	1208	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 624	1208	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 624	1208	iexplore.exe	IEXPLORE.EXE
PID 1208 wrote to memory of 624	1208	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://asvajvdyjsxxg.top/strong/mix.exe
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:624

C:\Users\Admin\Desktop\mix.exe
"C:\Users\Admin\Desktop\mix.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BH7BEU6D.txt
Filesize
603B

MD5
b85c01ce0e6a4578546b6ae0018e1481

SHA1
d50842188f9ef355434bfc61e30a4320403ea974

SHA256
6467fffb00b31260fd8aac652eb8f3a458af052cd01e10b21a74c76b06555c8f

SHA512
889d565e50e65dc5bdbf8d1958a13292b9232e9849d7267cb0bdc56b1d60c6d4f3c4acedfe432688854f5a25d69c2082d64dd8dae952e119c0e2fa39d0edf6c6

Download Submit
C:\Users\Admin\Desktop\mix.exe
Filesize
6.9MB

MD5
7fd10ec76e8a107153675911c53bb528

SHA1
f684b8945603023195665519878bb04da5623181

SHA256
bb014ee6df367a7536b5884058a370a029268ec576de51f0e29401413083a25b

SHA512
ee481eeb1b5c9611f2e7ec1e4857eb877f90394b69947820a6b3257a431cdf99f9d9ea7326a89c351a554cd9f9442b9e62300b16d04948ae4af4604117e6b9f3

Download Submit
C:\Users\Admin\Desktop\mix.exe.7wpaxg3.partial
Filesize
6.9MB

MD5
7fd10ec76e8a107153675911c53bb528

SHA1
f684b8945603023195665519878bb04da5623181

SHA256
bb014ee6df367a7536b5884058a370a029268ec576de51f0e29401413083a25b

SHA512
ee481eeb1b5c9611f2e7ec1e4857eb877f90394b69947820a6b3257a431cdf99f9d9ea7326a89c351a554cd9f9442b9e62300b16d04948ae4af4604117e6b9f3

Download Submit
memory/1112-56-0x00000000013D0000-0x0000000001E7E000-memory.dmp

Filesize
10.7MB

Download
memory/1112-58-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1112-59-0x00000000013D0000-0x0000000001E7E000-memory.dmp

Filesize
10.7MB

Download
memory/1112-61-0x00000000013D0000-0x0000000001E7E000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads