Analysis
-
max time kernel
80s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
16-12-2022 12:46
General
-
Target
ChromeSetup.exe
-
Size
335.3MB
-
MD5
6332e0bfbd291e2e5eb975fe505a41bb
-
SHA1
21aa54aac93983b7dfeb99ec5d7b0a171f878c41
-
SHA256
7aa136cc562458b6b08662f4229c81253abdcb9fae7a12e74624e62558cd3d63
-
SHA512
dff55fb17c9a1acd47b9cc63fc14aa317b95c8d293ea73448844db733a45b2554cf2f3d29d4500d658c1e7ae69f6e2b4b3e0624e6b753c94296db58f776ce299
-
SSDEEP
49152:pA2V4sA5q3dE0FLynxOE8ucNGkiLAiB6VoI36Bj08Qdk:pA9WE0UJkiEpZ36Bvr
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
97ba7f533329d8e5450500fe0b5beb39
C2
http://94.131.98.162/
rc4.plain
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exeC:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-69-0x00000000004088B5-mapping.dmp
-
memory/1684-73-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1684-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1780-55-0x0000000004A70000-0x0000000004C74000-memory.dmpFilesize
2.0MB
-
memory/1780-56-0x0000000075991000-0x0000000075993000-memory.dmpFilesize
8KB
-
memory/1780-54-0x0000000000B70000-0x0000000000D7C000-memory.dmpFilesize
2.0MB
-
memory/2024-57-0x0000000000000000-mapping.dmp
-
memory/2024-61-0x000000006E4B0000-0x000000006EA5B000-memory.dmpFilesize
5.7MB
-
memory/2024-60-0x000000006E4B0000-0x000000006EA5B000-memory.dmpFilesize
5.7MB
-
memory/2024-59-0x000000006E4B0000-0x000000006EA5B000-memory.dmpFilesize
5.7MB