Analysis
-
max time kernel
84s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-09-2022 01:31
General
-
Target
Setup/Setup.exe
-
Size
700.0MB
-
MD5
9438ae7dc36c6bdb54ab76d511d6f674
-
SHA1
e518a130b77432e5c266e33bf13eeb68237883a3
-
SHA256
aa546d18a4474e37352ceead9d799312f932f07b1cba26adf8e626d8ad0c152c
-
SHA512
9268d5b182713a8ebca656135c1407c3e64465d808111e3f975905da34a0745e2e6daafc432da3e9345feb3110854f6a898533c1995dc72d58b1b7b56b97d4f2
-
SSDEEP
1536:3Id1qx6P4H4+Y1fUukhVuM94fHqHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHz:H4+Y18fHOMMMMZMMMMMMMMMMMMJg
Malware Config
Extracted
raccoon
7be6431f3fa3eaa6e36b23bbc5559b9a
http://77.73.133.69/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup\Setup.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-71-0x0000000000408597-mapping.dmp
-
memory/320-67-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-75-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-73-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-63-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-70-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-68-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-62-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/320-65-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/976-58-0x0000000000000000-mapping.dmp
-
memory/976-61-0x000000006E980000-0x000000006EF2B000-memory.dmpFilesize
5.7MB
-
memory/976-60-0x000000006E980000-0x000000006EF2B000-memory.dmpFilesize
5.7MB
-
memory/1172-55-0x00000000008E0000-0x0000000000918000-memory.dmpFilesize
224KB
-
memory/1172-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1172-57-0x00000000054D0000-0x0000000005562000-memory.dmpFilesize
584KB
-
memory/1172-56-0x0000000000A60000-0x0000000000B10000-memory.dmpFilesize
704KB