raccoon | hxxp://www[.]google[.]it

General

Target

http://www.google.it

Score

10^/10

raccoon 1269ed6cdc166a49ecc72e46095cface stealer

Malware Config

Extracted

Family

raccoon

Botnet

1269ed6cdc166a49ecc72e46095cface

C2

http://79.137.197.160/

http://79.137.197.190/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 4 IoCs

Processes:

Setup.exeSetup.exeSetup.exeSetup.exe

pid process

4348 Setup.exe
2192 Setup.exe
1096 Setup.exe
1424 Setup.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4348 set thread context of 1424 4348 Setup.exe Setup.exe

description	pid	process	target process
PID 4348 set thread context of 1424	4348	Setup.exe	Setup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31010438"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E6094270-9A79-11ED-919F-DAD30C974647} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c012a1bf862ed901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3132137883"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31010438"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3132137883"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000048efc5145f5de51b65bc169611c4b6c1d916820bf604504e910265c9d684ef9000000000e8000000002000020000000fb6414590f85deb7792e381e78fa4df2e70b8acdd3c6c25c149aba6171b9a58720000000da547628b21540d8263a1a65c7e6763f01f46a235061c71ce5390493fa31eed940000000141dd10d7fb864704dbdf61558265161f870fd8f1123990b11965bf8e39f4e259c68bbf1139bf2af9cc69778cfe188b0bd6aa89c106a4d6ed5a8587e913757b4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201d7fbd862ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000059d77351e0315a3b223149ad5a9a8e4b1a2722246ac71755cb5e0963066199db000000000e8000000002000020000000f35ac5b3e1d72783c70d04e80262cb6b925838cdf966493d233a94d923cf771120000000961f7d4565efec6a2eaa7371075e9c4720b2fe8d33a1b8545f5cc125cf3387714000000076d214854808d0da311f29432643ae4a4dba4ca0b3d0764e3b37d7b9640c221b45466afb59ac241c34c1d8889fb7824de18eba008866cad0a85b59704ae4dba5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2(1).rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Setup.exetaskmgr.exe

pid	process
4348	Setup.exe
4348	Setup.exe
4348	Setup.exe
4348	Setup.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

osk.exe

pid process

1476 osk.exe

pid	process
1476	osk.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

firefox.exeAUDIODG.EXE7zG.exeSetup.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3184	firefox.exe
Token: SeDebugPrivilege	3184	firefox.exe
Token: 33	3196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3196	AUDIODG.EXE
Token: SeDebugPrivilege	3184	firefox.exe
Token: SeDebugPrivilege	3184	firefox.exe
Token: SeDebugPrivilege	3184	firefox.exe
Token: SeDebugPrivilege	3184	firefox.exe
Token: SeRestorePrivilege	4184	7zG.exe
Token: 35	4184	7zG.exe
Token: SeSecurityPrivilege	4184	7zG.exe
Token: SeSecurityPrivilege	4184	7zG.exe
Token: SeDebugPrivilege	4348	Setup.exe
Token: SeDebugPrivilege	2644	taskmgr.exe
Token: SeSystemProfilePrivilege	2644	taskmgr.exe
Token: SeCreateGlobalPrivilege	2644	taskmgr.exe
Token: 33	2644	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2644	taskmgr.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

iexplore.exefirefox.exeosk.exe7zG.exetaskmgr.exe

pid	process
4908	iexplore.exe
3184	firefox.exe
3184	firefox.exe
3184	firefox.exe
3184	firefox.exe
1476	osk.exe
4184	7zG.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe
2644	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeosk.exe

pid	process
3184	firefox.exe
3184	firefox.exe
3184	firefox.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exeosk.exe

pid	process
4908	iexplore.exe
4908	iexplore.exe
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
3184	firefox.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
3184	firefox.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe
1476	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4908 wrote to memory of 4940	4908	iexplore.exe	IEXPLORE.EXE
PID 4908 wrote to memory of 4940	4908	iexplore.exe	IEXPLORE.EXE
PID 4908 wrote to memory of 4940	4908	iexplore.exe	IEXPLORE.EXE
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 2560 wrote to memory of 3184	2560	firefox.exe	firefox.exe
PID 3184 wrote to memory of 3268	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 3268	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1252	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe
PID 3184 wrote to memory of 1952	3184	firefox.exe	firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.it
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4908 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.0.1597221821\2083703621" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 1 -prefMapSize 219944 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 1764 gpu
3⤵
PID:3268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.3.818834812\1785154064" -childID 1 -isForBrowser -prefsHandle 2332 -prefMapHandle 2344 -prefsLen 112 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2416 tab
3⤵
PID:1252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.13.1826095499\158295528" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 6894 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 3720 tab
3⤵
PID:1952

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\" -spe -an -ai#7zMap20500:124:7zEvent4936
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4184

C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
"C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
"C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe"
2⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
"C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe"
2⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
"C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe"
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xyoggsx\imagestore.dat
Filesize
5KB

MD5
f24ccea9deba27e36dd3de3b4d544294

SHA1
8cb9b8b0966dc6d12e39a99d78f6eb0c91374385

SHA256
52097bb7b39306c9491fdb705827070e9c63d34ab99d30f2b5efcba80d9d94fb

SHA512
af06543198b7708d9af02212f5c3b6a459968fa21551266a90bbd3676579f2ffdedf6c6521fcb2c650714c96fe074a1da0c2a55bac01c5cbd79a9b1b994a8c8b

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2.rar
Filesize
1.6MB

MD5
12e068e40c6c7516f422eb63c26559fd

SHA1
dd4b589ebce0a3bb308f1d76168f97e5a06e9cb6

SHA256
d05e183e60dff81fb6613033ac02a8e4c440cb6b29268c8f6b48c890c42f1a24

SHA512
84d5f69c28b5ca9b57ce4d84efd16680b6f7166c436e949fa5387682e52fd7bda197735341d63c67ce0fff98de61abab22a8e4e20251b398cb61f02a463c22d9

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
Filesize
468.0MB

MD5
75a1023e7247b5fb3887990507747c65

SHA1
2e080d6227c8153ad62b1e002ccef85c8ff0e788

SHA256
86d914735c841ab66c38c778fd103755044ee8e6cf81227072938e52737c1b9a

SHA512
73b61ed94797851b707a86129e8207ed1c8c3bea239387d7077ddcb09543c9ef59d19027e3565a2c60b6c97471dc11b6d22da853546293c499416ccbfa83d150

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
Filesize
468.0MB

MD5
75a1023e7247b5fb3887990507747c65

SHA1
2e080d6227c8153ad62b1e002ccef85c8ff0e788

SHA256
86d914735c841ab66c38c778fd103755044ee8e6cf81227072938e52737c1b9a

SHA512
73b61ed94797851b707a86129e8207ed1c8c3bea239387d7077ddcb09543c9ef59d19027e3565a2c60b6c97471dc11b6d22da853546293c499416ccbfa83d150

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
Filesize
468.0MB

MD5
75a1023e7247b5fb3887990507747c65

SHA1
2e080d6227c8153ad62b1e002ccef85c8ff0e788

SHA256
86d914735c841ab66c38c778fd103755044ee8e6cf81227072938e52737c1b9a

SHA512
73b61ed94797851b707a86129e8207ed1c8c3bea239387d7077ddcb09543c9ef59d19027e3565a2c60b6c97471dc11b6d22da853546293c499416ccbfa83d150

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
Filesize
468.0MB

MD5
75a1023e7247b5fb3887990507747c65

SHA1
2e080d6227c8153ad62b1e002ccef85c8ff0e788

SHA256
86d914735c841ab66c38c778fd103755044ee8e6cf81227072938e52737c1b9a

SHA512
73b61ed94797851b707a86129e8207ed1c8c3bea239387d7077ddcb09543c9ef59d19027e3565a2c60b6c97471dc11b6d22da853546293c499416ccbfa83d150

Download Submit
C:\Users\Admin\Downloads\Use_2022_As-PSw0rd-FinalStup-G2\Setup.exe
Filesize
468.0MB

MD5
75a1023e7247b5fb3887990507747c65

SHA1
2e080d6227c8153ad62b1e002ccef85c8ff0e788

SHA256
86d914735c841ab66c38c778fd103755044ee8e6cf81227072938e52737c1b9a

SHA512
73b61ed94797851b707a86129e8207ed1c8c3bea239387d7077ddcb09543c9ef59d19027e3565a2c60b6c97471dc11b6d22da853546293c499416ccbfa83d150

Download Submit
memory/1096-143-0x0000000000000000-mapping.dmp

Download
memory/1424-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1424-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1424-145-0x0000000000000000-mapping.dmp

Download
memory/1424-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2192-141-0x0000000000000000-mapping.dmp

Download
memory/4348-136-0x0000000000A00000-0x0000000000AFC000-memory.dmp

Filesize
1008KB

Download
memory/4348-140-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/4348-139-0x0000000005360000-0x000000000536A000-memory.dmp

Filesize
40KB

Download
memory/4348-138-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/4348-137-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads