Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20-09-2022 20:22
General
-
Target
Setup.exe
-
Size
700.0MB
-
MD5
9438ae7dc36c6bdb54ab76d511d6f674
-
SHA1
e518a130b77432e5c266e33bf13eeb68237883a3
-
SHA256
aa546d18a4474e37352ceead9d799312f932f07b1cba26adf8e626d8ad0c152c
-
SHA512
9268d5b182713a8ebca656135c1407c3e64465d808111e3f975905da34a0745e2e6daafc432da3e9345feb3110854f6a898533c1995dc72d58b1b7b56b97d4f2
-
SSDEEP
1536:3Id1qx6P4H4+Y1fUukhVuM94fHqHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHz:H4+Y18fHOMMMMZMMMMMMMMMMMMJg
Malware Config
Extracted
raccoon
7be6431f3fa3eaa6e36b23bbc5559b9a
http://77.73.133.69/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-132-0x0000000000C20000-0x0000000000C58000-memory.dmpFilesize
224KB
-
memory/1524-133-0x00000000093F0000-0x0000000009412000-memory.dmpFilesize
136KB
-
memory/2668-142-0x0000000000000000-mapping.dmp
-
memory/3580-140-0x00000000072E0000-0x000000000795A000-memory.dmpFilesize
6.5MB
-
memory/3580-136-0x0000000004F30000-0x0000000005558000-memory.dmpFilesize
6.2MB
-
memory/3580-137-0x0000000004D80000-0x0000000004DE6000-memory.dmpFilesize
408KB
-
memory/3580-138-0x0000000004DF0000-0x0000000004E56000-memory.dmpFilesize
408KB
-
memory/3580-139-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/3580-135-0x0000000002690000-0x00000000026C6000-memory.dmpFilesize
216KB
-
memory/3580-141-0x0000000006180000-0x000000000619A000-memory.dmpFilesize
104KB
-
memory/3580-134-0x0000000000000000-mapping.dmp
-
memory/3804-143-0x0000000000000000-mapping.dmp
-
memory/3804-144-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3804-146-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3804-147-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3804-148-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB