Overview

overview

10

Static

static

autoplay.exe

windows10-1703-x64

10

autorun.dll

windows10-1703-x64

1

Analysis

  • max time kernel
    78s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-09-2022 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    autoplay.exe

  • Size

    2.5MB

  • MD5

    c4379188fbebcf19fb52982a07ad97e5

  • SHA1

    5959c3a2c4173a2ac35dda00692dd5b402b950ad

  • SHA256

    0933f4936176e06ade6b661f36423892a9553e92cf1d4ad8e20cfb9a83dc029c

  • SHA512

    e55ef130b26a3056bd5a1dfef2ef57bf28fe541d4b3903c238d308c8f1a999e20349a695c3ee420ac0ca77015bdfd4d9afda7c8982a6804ea7073c62f9253228

  • SSDEEP

    49152:KR+W+FYXeCasCDnkh4bC6ZD40PFL/xl3V:KR+W+F6eCZCDnkh+40PFL/V

Score
10/10
raccoon82b47b435e53e7fb9a7380684546ba5cspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

82b47b435e53e7fb9a7380684546ba5c

C2

http://77.73.133.23/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\autoplay.exe
    "C:\Users\Admin\AppData\Local\Temp\autoplay.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:101708
      • C:\Users\Admin\AppData\Roaming\P6lh6DT5.exe
        "C:\Users\Admin\AppData\Roaming\P6lh6DT5.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:102188
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:101696

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\P6lh6DT5.exe
      Filesize

      3.2MB

      MD5

      872cdcada5bfb5e36981c45825e4fef0

      SHA1

      3d33e62634752087f873432343952e482e950283

      SHA256

      6b9ce9305643a49e11668d09319671b49504563b7b0eecc801ec860b63dad5c0

      SHA512

      29f9862be04c8edf7a7586dd317022aab2fe6466c257e1cd6dce6b0081dde5cbfc1cd6cfc1e030803771bc7b9db27c4af83ce5bff5c01bb14e84037874257bea

      Download Submit
    • C:\Users\Admin\AppData\Roaming\P6lh6DT5.exe
      Filesize

      3.2MB

      MD5

      872cdcada5bfb5e36981c45825e4fef0

      SHA1

      3d33e62634752087f873432343952e482e950283

      SHA256

      6b9ce9305643a49e11668d09319671b49504563b7b0eecc801ec860b63dad5c0

      SHA512

      29f9862be04c8edf7a7586dd317022aab2fe6466c257e1cd6dce6b0081dde5cbfc1cd6cfc1e030803771bc7b9db27c4af83ce5bff5c01bb14e84037874257bea

      Download Submit
    • \Users\Admin\AppData\LocalLow\mozglue.dll
      Filesize

      612KB

      MD5

      f07d9977430e762b563eaadc2b94bbfa

      SHA1

      da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

      SHA256

      4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

      SHA512

      6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

      Download Submit
    • \Users\Admin\AppData\LocalLow\nss3.dll
      Filesize

      1.9MB

      MD5

      f67d08e8c02574cbc2f1122c53bfb976

      SHA1

      6522992957e7e4d074947cad63189f308a80fcf2

      SHA256

      c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

      SHA512

      2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

      Download Submit
    • \Users\Admin\AppData\LocalLow\sqlite3.dll
      Filesize

      1.0MB

      MD5

      dbf4f8dcefb8056dc6bae4b67ff810ce

      SHA1

      bbac1dd8a07c6069415c04b62747d794736d0689

      SHA256

      47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

      SHA512

      b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

      Download Submit
    • memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-126-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-123-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-152-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101696-307-0x00000000007167D3-mapping.dmp
      Download
    • memory/101708-175-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-169-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-173-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-178-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-177-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-170-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-171-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-176-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-165-0x00000000001A8597-mapping.dmp
      Download
    • memory/101708-172-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-167-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-166-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-168-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-179-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-158-0x00000000001A0000-0x00000000001B4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/101708-180-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-181-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-182-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-174-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/101708-183-0x0000000076E80000-0x000000007700E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/102188-253-0x0000000000000000-mapping.dmp
      Download