Overview

overview

10

Static

static

1

PremiumFil...51.rar

windows7-x64

10

PremiumFil...51.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    1552s
  • max time network
    1559s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    01-04-2023 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PremiumFileT13-Pass-55551.rar

  • Size

    24.5MB

  • MD5

    a75ef1b830c86a85166dbfa99d0338ed

  • SHA1

    d8b478e0461d4008c59b71aaf6298bd61469acd9

  • SHA256

    1ed375dc67ad8c245211d0fde7b1d8d068268cafef26162fffb95eb5037578d7

  • SHA512

    a25cc94b8b3239fbf44e6d7ba1a832636cc143e8d28fa47efea2bd8e653749192f22e2a01ed264134ffbdf20084d1d9cfc148e9481075dc129333170b8894405

  • SSDEEP

    786432:Jgl+WaEcSSZKuS+HScq4p86auFhFJ6EeM41OrvnAGlif2X5XkA:WM7jj1SEqC86xWEAOfHZ50A

Score
10/10
raccoonee2a3d190100b91c20d8bc284238dda6stealer

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

C2

http://45.15.156.144/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\PremiumFileT13-Pass-55551.rar
    1⤵
    • Modifies registry class
    PID:1572
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:820
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3212
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\" -spe -an -ai#7zMap22340:108:7zEvent6347
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4712
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\" -spe -an -ai#7zMap13042:136:7zEvent20968
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1964
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe
      "C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:992
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe
      "C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile.rar
      Filesize

      24.5MB

      MD5

      5018a5ffdcc6968e87e16e9ec1a288f2

      SHA1

      ff728b148b31441714e6bb2b9a4e84ab733f06ab

      SHA256

      8cad46796d0cab522a2ac3a936b716759810e20cb75136356845015ce452bff6

      SHA512

      ab8fbe092624553ec5185a610093ab6251cbd2b4dddd4441d0d70c85c8399035345076027de58176e4e12eb2a04987a8198b39393bba363b30b7ab453618811f

      Download Submit
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe
      Filesize

      2012.7MB

      MD5

      9385ae1045691a4c0fd1a49ba1abf11d

      SHA1

      06da2e8533efdd665e686240f6dbf87ddaab62de

      SHA256

      e96197337a6754e2fcf1529218886d2eab7d9159a2d4e4d709fcd129e7c45fa5

      SHA512

      18156fbc6ec5b2c6d83ee0c8dfe8be599f9ebe95466e0968d730ac761e1f46bde24c3153621575c16739e7cb899fb364ebbb39b68ded4e9636759125f588dc7e

      Download Submit
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\setup.exe
      Filesize

      2012.7MB

      MD5

      9385ae1045691a4c0fd1a49ba1abf11d

      SHA1

      06da2e8533efdd665e686240f6dbf87ddaab62de

      SHA256

      e96197337a6754e2fcf1529218886d2eab7d9159a2d4e4d709fcd129e7c45fa5

      SHA512

      18156fbc6ec5b2c6d83ee0c8dfe8be599f9ebe95466e0968d730ac761e1f46bde24c3153621575c16739e7cb899fb364ebbb39b68ded4e9636759125f588dc7e

      Download Submit
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe
      Filesize

      12.7MB

      MD5

      3c97da8c3cfa06ef01fe2cb3350684ab

      SHA1

      99aa331eaeca57d671320bebf655e3bcd34ae919

      SHA256

      0fe9a62c38022f4904b600a0b7e8329ab2acdeb54193e03a6502b2ade27a8f9a

      SHA512

      55f7521002370efbedce92825bbf972e8c89fd6621658308017ef224eb4d83ba7214f46b17ee88e0cf40e01b0480d4389c773c4752eb31c4214590ef4850392c

      Download Submit
    • C:\Users\Admin\Desktop\PremiumFileT13-Pass-55551\ActivatedFile\zxcvyponmgqwsdh.exe
      Filesize

      12.7MB

      MD5

      3c97da8c3cfa06ef01fe2cb3350684ab

      SHA1

      99aa331eaeca57d671320bebf655e3bcd34ae919

      SHA256

      0fe9a62c38022f4904b600a0b7e8329ab2acdeb54193e03a6502b2ade27a8f9a

      SHA512

      55f7521002370efbedce92825bbf972e8c89fd6621658308017ef224eb4d83ba7214f46b17ee88e0cf40e01b0480d4389c773c4752eb31c4214590ef4850392c

      Download Submit
    • memory/992-146-0x0000000001A90000-0x0000000001A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/992-147-0x0000000000400000-0x0000000001A89000-memory.dmp
      Filesize

      22.5MB

      Download
    • memory/1248-149-0x0000000001BF0000-0x0000000001BF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1248-150-0x0000000000400000-0x0000000001A89000-memory.dmp
      Filesize

      22.5MB

      Download