Analysis

  • max time kernel
    112s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 16:45

General

  • Target

    FOCVIVH.exe

  • Size

    3.5MB

  • MD5

    85c27c29bcd669111e83ece79e7e0a62

  • SHA1

    24cb399e0de0896709242e3e2cc2b0435d5c206e

  • SHA256

    c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9

  • SHA512

    9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99

  • SSDEEP

    24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://5.2.70.65/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe
    "C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe
        "C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
          4⤵
          • Creates scheduled task(s)
          PID:3724
        • C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
          "C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
          4⤵
          • Executes dropped EXE
          PID:3564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
              PID:1292
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:3212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Collection

    Data from Local System

    2
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\mozglue.dll
      Filesize

      612KB

      MD5

      f07d9977430e762b563eaadc2b94bbfa

      SHA1

      da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

      SHA256

      4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

      SHA512

      6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

    • C:\Users\Admin\AppData\LocalLow\nss3.dll
      Filesize

      1.9MB

      MD5

      f67d08e8c02574cbc2f1122c53bfb976

      SHA1

      6522992957e7e4d074947cad63189f308a80fcf2

      SHA256

      c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

      SHA512

      2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

    • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
      Filesize

      1.0MB

      MD5

      dbf4f8dcefb8056dc6bae4b67ff810ce

      SHA1

      bbac1dd8a07c6069415c04b62747d794736d0689

      SHA256

      47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

      SHA512

      b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

    • C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe
      Filesize

      1.7MB

      MD5

      8cfa1da0104d3f7a83d30cd97e53b2f2

      SHA1

      968fecb371720afca1bd528287ca83407129cfc7

      SHA256

      897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15

      SHA512

      e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356

    • C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe
      Filesize

      1.7MB

      MD5

      8cfa1da0104d3f7a83d30cd97e53b2f2

      SHA1

      968fecb371720afca1bd528287ca83407129cfc7

      SHA256

      897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15

      SHA512

      e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356

    • C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
      Filesize

      371.9MB

      MD5

      9c953c410f5ac656773d7f18b3e8b7e0

      SHA1

      b68cf5147e848e810ed1a26248d3bf79137cef5c

      SHA256

      d70b128c7dd6b160b606c3f333780aee22c92dbd7a835bbf1adddb307a6293a4

      SHA512

      d9bc6133eabd8fda8255a110f65916b5df98ef7c583d98d84bff1ed36ccaef9fc5489a4b0bd7c787af1381ca51abc858e9984a36d4e8469a2f2b5a600def30ca

    • C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
      Filesize

      367.8MB

      MD5

      c2a537bac20fd16448579bd07b8afeb8

      SHA1

      ad0fb642b36f0c4f8fc7d24ede04a68fe08bd2b6

      SHA256

      001934ae24ec4682243f1a5a70b5b88e01b73828bb0411e3952c5d5c6aee3fb2

      SHA512

      18f9da24cc3245effa451a7e8bbf274180399dbc8ebd00068ba50ef4d206e6c42ae09fcaf18196e8a2896f6ade032074e76788685ad151031cdfd6494f508395

    • memory/1292-158-0x0000000000000000-mapping.dmp
    • memory/1740-132-0x0000000000830000-0x0000000000BB6000-memory.dmp
      Filesize

      3.5MB

    • memory/1740-138-0x00007FFE98780000-0x00007FFE99241000-memory.dmp
      Filesize

      10.8MB

    • memory/1740-134-0x00007FFE98780000-0x00007FFE99241000-memory.dmp
      Filesize

      10.8MB

    • memory/1740-133-0x00007FFE98780000-0x00007FFE99241000-memory.dmp
      Filesize

      10.8MB

    • memory/3212-159-0x0000000000000000-mapping.dmp
    • memory/3564-153-0x0000000000000000-mapping.dmp
    • memory/3724-152-0x0000000000000000-mapping.dmp
    • memory/4040-151-0x00000000036BD000-0x0000000003834000-memory.dmp
      Filesize

      1.5MB

    • memory/4040-149-0x00000000036BD000-0x0000000003834000-memory.dmp
      Filesize

      1.5MB

    • memory/4040-150-0x0000000002F39000-0x00000000036A2000-memory.dmp
      Filesize

      7.4MB

    • memory/4040-148-0x0000000002F39000-0x00000000036A2000-memory.dmp
      Filesize

      7.4MB

    • memory/4040-145-0x0000000000000000-mapping.dmp
    • memory/4040-157-0x00000000036BD000-0x0000000003834000-memory.dmp
      Filesize

      1.5MB

    • memory/4200-144-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

    • memory/4200-140-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

    • memory/4200-139-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

    • memory/4200-136-0x0000000000408597-mapping.dmp
    • memory/4200-135-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

    • memory/4536-156-0x0000000000000000-mapping.dmp