Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 22:44
Static task
static1
Behavioral task
behavioral1
Sample
d74c5647d791583241baa5061e0063c9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d74c5647d791583241baa5061e0063c9.exe
Resource
win10v2004-20220812-en
General
-
Target
d74c5647d791583241baa5061e0063c9.exe
-
Size
394KB
-
MD5
d74c5647d791583241baa5061e0063c9
-
SHA1
e404c6041dca2f3b767231e38dfca8faecca10ca
-
SHA256
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
-
SHA512
7a60a3dc49c64f35a7d9b8838e45cb687f023778f65feb3c89d2465306bf1bfc300022e0ac1fbc7c2f5f8c69ce6b2bf78cabf2519a0919552d14ea4734ab579e
-
SSDEEP
12288:rkNkHyWEXeqvQYVby7+OLn2yTp/uzdGDHpc:skDqvQYV+qOL2y9/uzdGL
Malware Config
Extracted
raccoon
6c8968d2498b99bf2d581580178f5f14
http://krrkrkrgsa.ink/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
x01QvMGk.exentlhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ x01QvMGk.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
x01QvMGk.exeCSJjkhi7.exentlhost.exepid process 1412 x01QvMGk.exe 400 CSJjkhi7.exe 3604 ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
x01QvMGk.exentlhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion x01QvMGk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion x01QvMGk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Loads dropped DLL 3 IoCs
Processes:
AddInProcess32.exepid process 1032 AddInProcess32.exe 1032 AddInProcess32.exe 1032 AddInProcess32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\x01QvMGk.exe themida C:\Users\Admin\AppData\Roaming\x01QvMGk.exe themida behavioral2/memory/1412-148-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-147-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-151-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-154-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-155-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-156-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/1412-157-0x0000000000050000-0x0000000000A64000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe themida C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe themida behavioral2/memory/1412-163-0x0000000000050000-0x0000000000A64000-memory.dmp themida behavioral2/memory/3604-164-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-167-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-168-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-169-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-170-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-171-0x0000000000730000-0x0000000001144000-memory.dmp themida behavioral2/memory/3604-173-0x0000000000730000-0x0000000001144000-memory.dmp themida -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
x01QvMGk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" x01QvMGk.exe -
Processes:
ntlhost.exex01QvMGk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA x01QvMGk.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
x01QvMGk.exentlhost.exepid process 1412 x01QvMGk.exe 3604 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d74c5647d791583241baa5061e0063c9.exedescription pid process target process PID 5040 set thread context of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 67 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d74c5647d791583241baa5061e0063c9.exepid process 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe 5040 d74c5647d791583241baa5061e0063c9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d74c5647d791583241baa5061e0063c9.exedescription pid process Token: SeDebugPrivilege 5040 d74c5647d791583241baa5061e0063c9.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
d74c5647d791583241baa5061e0063c9.exeAddInProcess32.exeCSJjkhi7.execmd.exex01QvMGk.exedescription pid process target process PID 5040 wrote to memory of 2568 5040 d74c5647d791583241baa5061e0063c9.exe ilasm.exe PID 5040 wrote to memory of 2568 5040 d74c5647d791583241baa5061e0063c9.exe ilasm.exe PID 5040 wrote to memory of 1304 5040 d74c5647d791583241baa5061e0063c9.exe ngen.exe PID 5040 wrote to memory of 1304 5040 d74c5647d791583241baa5061e0063c9.exe ngen.exe PID 5040 wrote to memory of 3528 5040 d74c5647d791583241baa5061e0063c9.exe vbc.exe PID 5040 wrote to memory of 3528 5040 d74c5647d791583241baa5061e0063c9.exe vbc.exe PID 5040 wrote to memory of 5028 5040 d74c5647d791583241baa5061e0063c9.exe mscorsvw.exe PID 5040 wrote to memory of 5028 5040 d74c5647d791583241baa5061e0063c9.exe mscorsvw.exe PID 5040 wrote to memory of 2248 5040 d74c5647d791583241baa5061e0063c9.exe jsc.exe PID 5040 wrote to memory of 2248 5040 d74c5647d791583241baa5061e0063c9.exe jsc.exe PID 5040 wrote to memory of 2248 5040 d74c5647d791583241baa5061e0063c9.exe jsc.exe PID 5040 wrote to memory of 1028 5040 d74c5647d791583241baa5061e0063c9.exe aspnet_wp.exe PID 5040 wrote to memory of 1028 5040 d74c5647d791583241baa5061e0063c9.exe aspnet_wp.exe PID 5040 wrote to memory of 724 5040 d74c5647d791583241baa5061e0063c9.exe RegAsm.exe PID 5040 wrote to memory of 724 5040 d74c5647d791583241baa5061e0063c9.exe RegAsm.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 5040 wrote to memory of 1032 5040 d74c5647d791583241baa5061e0063c9.exe AddInProcess32.exe PID 1032 wrote to memory of 1412 1032 AddInProcess32.exe x01QvMGk.exe PID 1032 wrote to memory of 1412 1032 AddInProcess32.exe x01QvMGk.exe PID 1032 wrote to memory of 400 1032 AddInProcess32.exe CSJjkhi7.exe PID 1032 wrote to memory of 400 1032 AddInProcess32.exe CSJjkhi7.exe PID 400 wrote to memory of 508 400 CSJjkhi7.exe cmd.exe PID 400 wrote to memory of 508 400 CSJjkhi7.exe cmd.exe PID 508 wrote to memory of 3716 508 cmd.exe choice.exe PID 508 wrote to memory of 3716 508 cmd.exe choice.exe PID 1412 wrote to memory of 3604 1412 x01QvMGk.exe ntlhost.exe PID 1412 wrote to memory of 3604 1412 x01QvMGk.exe ntlhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74c5647d791583241baa5061e0063c9.exe"C:\Users\Admin\AppData\Local\Temp\d74c5647d791583241baa5061e0063c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\x01QvMGk.exe"C:\Users\Admin\AppData\Roaming\x01QvMGk.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\CSJjkhi7.exe"C:\Users\Admin\AppData\Roaming\CSJjkhi7.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\CSJjkhi7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Roaming\CSJjkhi7.exeFilesize
7.4MB
MD57c3c33a79f460a4536433f5ba99b3fcd
SHA12a3d9abc1a733453804213b8bf24f14bfa5cd581
SHA25688dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
SHA5120e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4
-
C:\Users\Admin\AppData\Roaming\CSJjkhi7.exeFilesize
7.4MB
MD57c3c33a79f460a4536433f5ba99b3fcd
SHA12a3d9abc1a733453804213b8bf24f14bfa5cd581
SHA25688dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
SHA5120e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
826.3MB
MD5d44a35500eea4149b3fac56b765e737b
SHA1076319764db4493a28a69ffce4bdfe066fdf631c
SHA25630a444b8aec744d474a63ba498f9ae0b3dc0ff81231ffb94e7ee11d149aff15f
SHA51268d0a7ae84448cca52f3bd8d356ffbdb8a5ee9c8560d311072576aa736d955485d6737c9c2e61c5772fe7d9763064b840f34732a356ea4833e9a3dbb8a86e207
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
826.3MB
MD5d44a35500eea4149b3fac56b765e737b
SHA1076319764db4493a28a69ffce4bdfe066fdf631c
SHA25630a444b8aec744d474a63ba498f9ae0b3dc0ff81231ffb94e7ee11d149aff15f
SHA51268d0a7ae84448cca52f3bd8d356ffbdb8a5ee9c8560d311072576aa736d955485d6737c9c2e61c5772fe7d9763064b840f34732a356ea4833e9a3dbb8a86e207
-
C:\Users\Admin\AppData\Roaming\x01QvMGk.exeFilesize
7.3MB
MD50ab7518c28166568e4df9081588c868f
SHA14de900f0946695bb8b6edf5a7a1d5fe22a36494b
SHA2561ba92583e7d14373cccd6972cd66dd9557858d3bcfae934f6b8bcef9d932f347
SHA5121dce4e2ddaeaf05229a4f4d3b500526b203264f963d1254551bc6d984632eaf6ceeab1c930d8e73de0f163c5e8cb359c208e6d4ac7ccc39ce31a3ca24358511b
-
C:\Users\Admin\AppData\Roaming\x01QvMGk.exeFilesize
7.3MB
MD50ab7518c28166568e4df9081588c868f
SHA14de900f0946695bb8b6edf5a7a1d5fe22a36494b
SHA2561ba92583e7d14373cccd6972cd66dd9557858d3bcfae934f6b8bcef9d932f347
SHA5121dce4e2ddaeaf05229a4f4d3b500526b203264f963d1254551bc6d984632eaf6ceeab1c930d8e73de0f163c5e8cb359c208e6d4ac7ccc39ce31a3ca24358511b
-
memory/400-149-0x0000000000000000-mapping.dmp
-
memory/508-158-0x0000000000000000-mapping.dmp
-
memory/1032-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1032-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1032-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1032-135-0x00000000004088ED-mapping.dmp
-
memory/1032-134-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1412-154-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-163-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-151-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-150-0x00007FFF063D0000-0x00007FFF065C5000-memory.dmpFilesize
2.0MB
-
memory/1412-147-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-148-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-155-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-156-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-157-0x0000000000050000-0x0000000000A64000-memory.dmpFilesize
10.1MB
-
memory/1412-144-0x0000000000000000-mapping.dmp
-
memory/1412-165-0x00007FFF063D0000-0x00007FFF065C5000-memory.dmpFilesize
2.0MB
-
memory/3604-168-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-170-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-173-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-160-0x0000000000000000-mapping.dmp
-
memory/3604-172-0x00007FFF063D0000-0x00007FFF065C5000-memory.dmpFilesize
2.0MB
-
memory/3604-164-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-166-0x00007FFF063D0000-0x00007FFF065C5000-memory.dmpFilesize
2.0MB
-
memory/3604-167-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-171-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3604-169-0x0000000000730000-0x0000000001144000-memory.dmpFilesize
10.1MB
-
memory/3716-159-0x0000000000000000-mapping.dmp
-
memory/5040-138-0x00007FFEE8EE0000-0x00007FFEE99A1000-memory.dmpFilesize
10.8MB
-
memory/5040-132-0x0000023B29060000-0x0000023B290C8000-memory.dmpFilesize
416KB
-
memory/5040-133-0x00007FFEE8EE0000-0x00007FFEE99A1000-memory.dmpFilesize
10.8MB