Analysis
-
max time kernel
21s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
28-09-2022 20:33
General
-
Target
IPPMKEK.exe
-
Size
4.1MB
-
MD5
82c470c652ce1f039edb6486f878f766
-
SHA1
425a90761731d3d4867a0e4628d46cf1c4856f44
-
SHA256
792d8bfb5e0660c8967fa84902963bbd3ccc345f9e17f777c6d016343655afdf
-
SHA512
bee0e81e11f8a4457b89dee54a26ff8148e520d7049df77d0a2705bb92402f3f6814b1e103dc17a267ee7874821f4ed0567e2aa50841247748cc534a57bde92a
-
SSDEEP
98304:8HswGIPlWbxvQ04sgyZ6L1ympDF73twzC/:8bL4ldgyZqI8DF7MC/
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
9b19cf60d9bdf65b8a2495aa965456c3
C2
http://94.131.107.206
rc4.plain
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\IPPMKEK.exe"C:\Users\Admin\AppData\Local\Temp\IPPMKEK.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1480-65-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-67-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-72-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-70-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-68-0x0000000000408597-mapping.dmp
-
memory/1480-59-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-62-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-64-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1480-60-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2036-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/2036-55-0x0000000000040000-0x0000000000464000-memory.dmpFilesize
4.1MB
-
memory/2036-58-0x0000000002740000-0x00000000027A4000-memory.dmpFilesize
400KB
-
memory/2036-57-0x0000000000040000-0x0000000000464000-memory.dmpFilesize
4.1MB
-
memory/2036-56-0x0000000000040000-0x0000000000464000-memory.dmpFilesize
4.1MB
-
memory/2036-73-0x0000000000040000-0x0000000000464000-memory.dmpFilesize
4.1MB