Overview

overview

10

Static

static

10

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2023 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    465.5MB

  • MD5

    ba1f367857d1efa868bb71681e1e1420

  • SHA1

    0d7917e7808a365ec09c6a848f6d20266114a662

  • SHA256

    bd8b12dcaec47b31028589aa295ab16c91278814affa1bd2664905957d472a13

  • SHA512

    dc48959bd3c465a09e6df275eedf910125da1222ff253ecebde94c4f7ab93f9bbce847c90cb7a339cad2697d0ab77b61b95af54713983dfc4f7566cc0ba34d88

  • SSDEEP

    49152:op6MmhLSOvvm9sgb3qq/BSGnYB7VKpKeM:oKhUrtpSGngVaM

Score
10/10
raccoond4074b8c479181b90e810443a9405f3cdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

d4074b8c479181b90e810443a9405f3c

C2

http://37.220.87.44/

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Roaming\ab0okmcj.exe
      "C:\Users\Admin\AppData\Roaming\ab0okmcj.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type7.4.9.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:2660
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type7.4.9.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:4732
        • C:\Windows\SysWOW64\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type7.4.9.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:3400
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /CREATE /TN "Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9" /TR "C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe" /SC MINUTE
          4⤵
          • Creates scheduled task(s)
          PID:2244
        • C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
          "C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Executes dropped EXE
          PID:1500
    • C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe
      "C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:1308
    • C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
      C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
      1⤵
      • Executes dropped EXE
      PID:1344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    File Permissions Modification

    1
    T1222

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
      Filesize

      603.7MB

      MD5

      2583e06617860c70363c31b03ceb21be

      SHA1

      dd86e859b08dfedf8e351b311895930e474cac70

      SHA256

      99955753cf0d6f37201ca2c22eb2ecf54a693df5c9f46ddbd4cf69ee0bef8fcc

      SHA512

      c14dcb8d5033cbd54b8c2743f957a6f6e163b2427176560efc4b45aaf253482fc93ace47f6380b67ffd3883fd1b39408995bc473ffa1e01dc0eb98652c9002c2

      Download Submit
    • C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
      Filesize

      644.8MB

      MD5

      b941665e0c41075422061f153b6289a9

      SHA1

      53868203cac49f7ccb7de4d9fa4a9c9b39b07937

      SHA256

      64af804e4adbd95f10928fdddc1c52ea2bcac93967a68b0ba421c1a8ff4ffa9a

      SHA512

      7ff8ed5445e505f43a2c0f3e1542240e9f5691e7e2c9ecfeda4a7f628ab9497249d498238be8f6954ed9fae3e65814ed165e6256f6437e856b271f1fe62bff3c

      Download Submit
    • C:\ProgramData\Oraclessh-type7.4.9.9\Oraclessh-type7.4.9.9.exe
      Filesize

      124.1MB

      MD5

      048ccc1888a6cc78ea257b8e3ab99ac4

      SHA1

      cda5f9e3a9d594b6b87fb030d0bf20842e10febc

      SHA256

      c4901724ea50894aa13b199dfb5c8062584161962c94b72cb479cac98068967f

      SHA512

      8ac0a91c8f55a0df6abb76e38095ad396a04f8c9e5cd608039cbec3f65fbc7a0ac62d63953074caa1c5a70eee06a0b80673eaf2bd0ecc3f1d1e78a126023ed0a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\mozglue.dll
      Filesize

      612KB

      MD5

      f07d9977430e762b563eaadc2b94bbfa

      SHA1

      da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

      SHA256

      4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

      SHA512

      6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\nss3.dll
      Filesize

      1.9MB

      MD5

      f67d08e8c02574cbc2f1122c53bfb976

      SHA1

      6522992957e7e4d074947cad63189f308a80fcf2

      SHA256

      c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

      SHA512

      2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
      Filesize

      1.0MB

      MD5

      dbf4f8dcefb8056dc6bae4b67ff810ce

      SHA1

      bbac1dd8a07c6069415c04b62747d794736d0689

      SHA256

      47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

      SHA512

      b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe
      Filesize

      13.9MB

      MD5

      6dac8c5381ae3101d911145970bdde93

      SHA1

      04c1cbac48c640f3c54c0ec6086aa3eb181da696

      SHA256

      6888c253f7fe673389ea592d69e1844c81eb01f313514df88f9dbdebad514aa8

      SHA512

      1fc5b7de2f4033e2275ae01631006553e81ed0c541fdbfeee8533640e21e1033c324249a27861d85f0b07895df335fe5f013563da248a14ef6faa50ab4ad1610

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe
      Filesize

      13.9MB

      MD5

      6dac8c5381ae3101d911145970bdde93

      SHA1

      04c1cbac48c640f3c54c0ec6086aa3eb181da696

      SHA256

      6888c253f7fe673389ea592d69e1844c81eb01f313514df88f9dbdebad514aa8

      SHA512

      1fc5b7de2f4033e2275ae01631006553e81ed0c541fdbfeee8533640e21e1033c324249a27861d85f0b07895df335fe5f013563da248a14ef6faa50ab4ad1610

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KUU1L7FW.exe
      Filesize

      13.9MB

      MD5

      6dac8c5381ae3101d911145970bdde93

      SHA1

      04c1cbac48c640f3c54c0ec6086aa3eb181da696

      SHA256

      6888c253f7fe673389ea592d69e1844c81eb01f313514df88f9dbdebad514aa8

      SHA512

      1fc5b7de2f4033e2275ae01631006553e81ed0c541fdbfeee8533640e21e1033c324249a27861d85f0b07895df335fe5f013563da248a14ef6faa50ab4ad1610

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ab0okmcj.exe
      Filesize

      4.2MB

      MD5

      cbdf855b7117d7343e59bc55e05657cf

      SHA1

      42a5364e4fdce74cb165a9bf51e2cab57a69b250

      SHA256

      54993897e107cb23709fed98945f1de167ebe77e4373d174966b44e38886a46f

      SHA512

      13061d475af8bbb9742ab9cef7fd970af5ee4cd9a1e3896339ca3290c472c5975625d2597811b852a342a56061fa314c5c4206517ba33840d416aa2d7074679f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ab0okmcj.exe
      Filesize

      4.2MB

      MD5

      cbdf855b7117d7343e59bc55e05657cf

      SHA1

      42a5364e4fdce74cb165a9bf51e2cab57a69b250

      SHA256

      54993897e107cb23709fed98945f1de167ebe77e4373d174966b44e38886a46f

      SHA512

      13061d475af8bbb9742ab9cef7fd970af5ee4cd9a1e3896339ca3290c472c5975625d2597811b852a342a56061fa314c5c4206517ba33840d416aa2d7074679f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ab0okmcj.exe
      Filesize

      4.2MB

      MD5

      cbdf855b7117d7343e59bc55e05657cf

      SHA1

      42a5364e4fdce74cb165a9bf51e2cab57a69b250

      SHA256

      54993897e107cb23709fed98945f1de167ebe77e4373d174966b44e38886a46f

      SHA512

      13061d475af8bbb9742ab9cef7fd970af5ee4cd9a1e3896339ca3290c472c5975625d2597811b852a342a56061fa314c5c4206517ba33840d416aa2d7074679f

      Download Submit
    • memory/1460-133-0x0000000000400000-0x0000000000685000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1460-180-0x0000000061E00000-0x0000000061EF1000-memory.dmp
      Filesize

      964KB

      Download
    • memory/1460-179-0x0000000000400000-0x0000000000685000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1460-134-0x0000000000400000-0x0000000000685000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/2324-203-0x0000000005B50000-0x00000000060F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2324-211-0x0000000003090000-0x000000000309A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2324-214-0x00000000030B0000-0x00000000030C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2324-215-0x00000000030B0000-0x00000000030C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2324-216-0x00000000030B0000-0x00000000030C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2324-212-0x00000000030B0000-0x00000000030C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2324-208-0x0000000005640000-0x00000000056D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2324-193-0x0000000000CD0000-0x00000000010F8000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/3560-213-0x0000000000CE0000-0x0000000001B2F000-memory.dmp
      Filesize

      14.3MB

      Download