Analysis
-
max time kernel
972s -
max time network
975s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-es -
resource tags
arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
10-05-2023 22:15
Static task
static1
Behavioral task
behavioral1
Sample
Use_2024_As_Passw0rd(1).rar
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
Use_2024_As_Passw0rd(1).rar
Resource
win10v2004-20230221-es
General
-
Target
Use_2024_As_Passw0rd(1).rar
-
Size
17.7MB
-
MD5
21597608583ff900e22d9ef752f89865
-
SHA1
425686012d63d31aaf20d8bf1ce73dfdda3606e1
-
SHA256
62eed6ef3881ff1d829b73d374ae9e43ca5ac13fcfa4ed43adb7e4dc45385528
-
SHA512
c8396d5e4acea54a20436fb71bdf254c35a217ce2fbb65070c48d9cb095169b1ec18654d5592fdda0564188f51cd77031ea2aee3b59a457730b84dede6d88345
-
SSDEEP
393216:SwrZMzRWjvVp8J+/mcT0QVAr2mEFJEqQLTQXyX6sIxPpXDlxlHgTf+2GT:SwrXjvH8J+5T0rr27FOHpGpXDlHO+2w
Malware Config
Extracted
raccoon
141e039951f226abafc9f26367487dea
http://37.220.87.68
http://83.217.11.14
http://94.142.138.125/
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
+Setup.exepid process 992 +Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
+Setup.exepid process 992 +Setup.exe 992 +Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
+Setup.exepid process 992 +Setup.exe 992 +Setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 4444 7zG.exe Token: 35 4444 7zG.exe Token: SeSecurityPrivilege 4444 7zG.exe Token: SeSecurityPrivilege 4444 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 4444 7zG.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd(1).rar1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\" -spe -an -ai#7zMap29390:104:7zEvent37811⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exeFilesize
1550.3MB
MD56a85c90570758314f45c072f175adbd0
SHA14754a3f5432ee91ed599a78984249205155f049c
SHA25674632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0
SHA5120674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2
-
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exeFilesize
1550.3MB
MD56a85c90570758314f45c072f175adbd0
SHA14754a3f5432ee91ed599a78984249205155f049c
SHA25674632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0
SHA5120674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2
-
memory/992-195-0x0000000001F60000-0x0000000001F61000-memory.dmpFilesize
4KB
-
memory/992-196-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/992-197-0x0000000000400000-0x0000000001DFF000-memory.dmpFilesize
26.0MB