Overview

overview

10

Static

static

setupsoftapp19.0.exe

windows7-x64

10

setupsoftapp19.0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2023 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setupsoftapp19.0.exe

  • Size

    846.9MB

  • MD5

    c924d548d6362d6182a801e5ac9779a2

  • SHA1

    ceef050c6d3476ba14afbcb7f9fae2383409f5b6

  • SHA256

    692665962615caa30b77c4ac254668ed936d4025712d9338f272d6649f700698

  • SHA512

    0c669977725c8808dac6570c7a2dc8071f3cc97679fdbdd348a458f421f400a94c4725306c503277c59d62e3cb0de634d739f13b48467715762e8a284b05af5d

  • SSDEEP

    98304:4bAOzokQ2Kr/ar2QhHe8J7ouoFGxqMI8jZuF++U62mcx/:qc/V8J7ou31I4t+r

Score
10/10
raccoon3f4a8564e5026a245d6974b020b3f6destealer

Malware Config

Extracted

Family

raccoon

Botnet

3f4a8564e5026a245d6974b020b3f6de

C2

http://45.15.156.225/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setupsoftapp19.0.exe
    "C:\Users\Admin\AppData\Local\Temp\setupsoftapp19.0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
      2⤵
        PID:2416
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:3944
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 460 -p 2156 -ip 2156
      1⤵
        PID:5056
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2156 -s 2268
        1⤵
        • Program crash
        PID:1360

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1752-132-0x000001F31C4C0000-0x000001F31D29C000-memory.dmp
        Filesize

        13.9MB

        Download
      • memory/1752-133-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1752-138-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2416-134-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2416-135-0x00000000004088ED-mapping.dmp
        Download
      • memory/2416-137-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2416-139-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2416-140-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download