Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2023 21:24

General

  • Target

    readerdc64_br_ka_cra_mdr_install.exe

  • Size

    1.3MB

  • MD5

    2a28b875cdc2f3eae4871c4732854f22

  • SHA1

    c31dfe79e224c6726b2f250fbfecda792aa4cb56

  • SHA256

    95c5947e021a773ce1cfd4e774fe69d7a50bad31810cdddd7b72fd1a2a3cf617

  • SHA512

    d29fa59790c61c2c161b124fd43bf874ea4b99c86511d1b169b10d7301710107771a45c36a334f3093db0e891f687b12c74ff22e7d4605f039f738ebc6a5cb04

  • SSDEEP

    24576:slv110ltOoV5/Bh7uVIjpQOyTOD0YHqI61tPd6ew7KRualKIYwR5UlgsmxLSkNR6:WvXyOYp9QOORI6fPd6ew7O7YwR5JwkNY

Score
10/10

Malware Config

Extracted

Family

raccoon

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\readerdc64_br_ka_cra_mdr_install.exe
    "C:\Users\Admin\AppData\Local\Temp\readerdc64_br_ka_cra_mdr_install.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Adobe\4F9ECA6F-9A63-49FF-B72B-29B5120244AB\46F726D4-71E3-4A20-8B8E-F22C7BAC256A\D1998FCE-4B07-4F40-92D0-9F0EE6F939A7
      "C:\Users\Admin\AppData\Local\Adobe\4F9ECA6F-9A63-49FF-B72B-29B5120244AB\46F726D4-71E3-4A20-8B8E-F22C7BAC256A\D1998FCE-4B07-4F40-92D0-9F0EE6F939A7" /sAll /re /msi PRODUCT_SOURCE=ACDC OWNERSHIP_STATE=1 UPDATE_MODE=3 EULA_ACCEPT=YES ENABLE_CHROMEEXT=1
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\Temp\15304\config.bin

    Filesize

    3KB

    MD5

    f2de816930e2578fe2b37e1e2af5efd4

    SHA1

    73b0e6bf692adb032b503e1786e76b9086540d43

    SHA256

    49f7b0953dd79bb9a649acbda22b1fbe69c7cb3bcd053c2a2a23400a55cb73ed

    SHA512

    159fa977edd0ac314a8d113223a19741b747a9235f04face026c42ddab797fad67e65a323f20d67a6a6beba558117d29b596518503cf7f5c306b378b5d211bcc

  • C:\Users\Admin\AppData\Local\Adobe\4F9ECA6F-9A63-49FF-B72B-29B5120244AB\46F726D4-71E3-4A20-8B8E-F22C7BAC256A\D1998FCE-4B07-4F40-92D0-9F0EE6F939A7

    Filesize

    199.6MB

    MD5

    c587f099e4240a8ad51d25d188bf46b3

    SHA1

    1b8e58d54fdddd9d66fe5896a67ff7f79b4a5e59

    SHA256

    c73ca63a13b335f30b0ab1a11e7aaf19f16535edaa9a2546998b0637daf7aa2f

    SHA512

    349cd39ca49b6cca64ed7809863f4012a8bd316a363740074a33d319c9526ad9cb0e7e513a13e8842ac8f3391df3ad8bd13d5c6ed02666029b94d8c9cbfdcd61

  • C:\Users\Admin\AppData\Local\Adobe\4F9ECA6F-9A63-49FF-B72B-29B5120244AB\46F726D4-71E3-4A20-8B8E-F22C7BAC256A\D1998FCE-4B07-4F40-92D0-9F0EE6F939A7

    Filesize

    198.1MB

    MD5

    99b7dca806fa81d70b0d7a8801c54dc9

    SHA1

    49b012567ebc0b7c283a00d7333ce677b2193422

    SHA256

    e9e0353e736fcf239575b46c3b5eebe52141ca18d571008a8a59919c3a8647ae

    SHA512

    7ae0be4cdd94f5cc960eb91955211239a96cae447391b90abf4be2764a69405a280ff5b8b2c25ac16e0bb9c18b497640a4091af07c9b90eaf2e843d1f05357ce

  • C:\Users\Admin\AppData\Local\Adobe\4F9ECA6F-9A63-49FF-B72B-29B5120244AB\progressbar_blue_active_100.png

    Filesize

    14KB

    MD5

    bb94a177f10bf764d11f94d24a5db5aa

    SHA1

    6864b58952b19248f4c5ea5c8764c52e207268a7

    SHA256

    caafea31074ba909ec57c9dcdd1b1c0256e5626939cc768b8a041fe42762e230

    SHA512

    d2875eb5ad9ff76ff233ada04fa77aecdbb0c9a80bcd85b0c50087786b47e97feec189d18164e15784cd96850849ee4e1920d7d98157ca7ad317ba03e8c66111

  • memory/2924-133-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-204-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-209-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-210-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-213-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-224-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB

  • memory/2924-250-0x00000000003A0000-0x0000000000796000-memory.dmp

    Filesize

    4.0MB