Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bayfiles.com...

windows10-2004-x64

10

Resubmissions

21-05-2023 06:24

230521-g59rysbb7s 8

20-05-2023 11:01

230520-m4m5fsee7v 1

16-05-2023 12:13

230516-pd3tbshg5s 10

16-05-2023 12:01

230516-n69lxaaf68 1

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2023 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bayfiles.com/v1HbA7q9zf/OriginalBuild_exe

Score
10/10
raccoonb11c37ed36597cb6d2adb8b6280a6e12stealer

Malware Config

Extracted

Family

raccoon

Botnet

b11c37ed36597cb6d2adb8b6280a6e12

C2

http://94.142.138.32

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://bayfiles.com/v1HbA7q9zf/OriginalBuild_exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4460
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      "C:\Users\Admin\Downloads\OriginalBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Users\Admin\Downloads\OriginalBuild.exe
          C:\Users\Admin\Downloads\OriginalBuild.exe
          4⤵
          • Executes dropped EXE
          PID:2168
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      "C:\Users\Admin\Downloads\OriginalBuild.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Users\Admin\Downloads\OriginalBuild.exe
          C:\Users\Admin\Downloads\OriginalBuild.exe
          4⤵
          • Executes dropped EXE
          PID:3840
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3820

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      59077241ce0ac9ac8eb9b9310aad1952

      SHA1

      e55ab1ccbe4d6b0c3cdabf5b8b7b06a2957e05b8

      SHA256

      5ac8fd637c49c033c7f208265b0323fb9a626767da12d460b9d550e4bcb92399

      SHA512

      3b603aa5ddcb00830d46c4eae716f9b4e2493729a21cc6be0d257046ef23f78882446f84aac06572c0cf9a10da0f89897fda8bba078046b84fecd8d6992f59a0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      d3413107a3c23170497415e44527cc47

      SHA1

      ea3ec52bef31d0aba9e8d9792dadfe2ecbb14256

      SHA256

      cdfdce2d6e6509f10472d77a684da8f8411c27f3b7140ae5c90770dd0b043a0c

      SHA512

      e34be55769055a55c58a7fea73837a91b5b5475e9738c2cd35f2196167172eb85b82533d8b52cb077c66a0dc336c0db4bd3973aaad4c14c0fae25f06d816e221

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OriginalBuild.exe.log
      Filesize

      1KB

      MD5

      7ebe314bf617dc3e48b995a6c352740c

      SHA1

      538f643b7b30f9231a3035c448607f767527a870

      SHA256

      48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

      SHA512

      0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      556491219a6ad3dc6d671b8e18d8e2f6

      SHA1

      906e7a723d6ec5501951f906191ed956f81975d7

      SHA256

      8400c727b4a9cc431a250db16f3f5da4c50d3b6068b8c61cdf57d3eb9b2b520d

      SHA512

      9f83608b919de80b9945e687f418d46ca5407bd4cdd0fc3737367251647f683be3759a09e0857d86229758cbd89a3ca3f8b61afa5b18afe07eee3c7a2235a96b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q7s3h6i\imagestore.dat
      Filesize

      1KB

      MD5

      09326d7c3f67b8eb6b9c4cb572924d95

      SHA1

      ea7eb00231806e3b8eabb5d12f395873c6961def

      SHA256

      55b34f26642c7bfbf90a14aaaa676f8e47b8cc73fba7c7db5ed10e9ab835d93d

      SHA512

      5a9185afc76f858edf1018b507a9ada115d9c570300a5e0bd51f43fc7c7d502d386eda9d70fed86698deef2478c860308d79d34149d9e62339f4757f04b67474

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\OriginalBuild[1].exe
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\OriginalBuild.exe.su6bbte.partial
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\favicon-32x32-bayfiles[1].png
      Filesize

      1KB

      MD5

      9549584e9288a5dd9d163daa26a6f34d

      SHA1

      0c7a71967bd4570770aa9b1043a1d82cd8969252

      SHA256

      d18e625001a778074faea9e00ae801988818827c121732ba020390e84897578e

      SHA512

      9970cbd96289c4461414ce86ed7577296287ec1e2ffa2f8539543d20b57c1610c3d84e058fb454b9b21db86678c48481e2b7b65af87c3b924c3afe6dd4689790

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      21KB

      MD5

      106d25ad20e52167f9a489d35eec667d

      SHA1

      3e0bf9468608079b6128926986031f301b167b5c

      SHA256

      53dd37d85c2cd7d6dbc7e5115db0b27a1932a2c7bfb22e10a512ea977846eb97

      SHA512

      ef8894dd186509e3e709fc3056224752517cb49458629aa7770f95f0c3cc89887eab8b930c69a54314babcae5b34984d01c1498b4da0bc78eabe5f28d2cedf67

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovbwdh2x.sty.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\Downloads\OriginalBuild.exe
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • C:\Users\Admin\Downloads\OriginalBuild.exe.204qy67.partial
      Filesize

      186KB

      MD5

      170ea3cd14c495010443b45f98027d55

      SHA1

      eda0de88cb80a413c8ffef547b5394aea793fbc2

      SHA256

      98a588f9dd8a084e828cb26d0a710859725869e8b438b79201ce1a508800fc39

      SHA512

      19964c0cb0e4dc02674c7c592b0301f71b5a27f60b5628a44937cfed06d48ed7eb5e46026dd21a1ba5bc17bcb6d00f5f3a20145ce580e0d6377aab72af4fa01e

      Download Submit
    • memory/2168-293-0x0000000000400000-0x0000000000425000-memory.dmp
      Filesize

      148KB

      Download
    • memory/2168-294-0x0000000000400000-0x0000000000425000-memory.dmp
      Filesize

      148KB

      Download
    • memory/2168-290-0x0000000000400000-0x0000000000425000-memory.dmp
      Filesize

      148KB

      Download
    • memory/2652-280-0x0000000004D70000-0x0000000004D80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2652-297-0x0000000004D70000-0x0000000004D80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-260-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-267-0x00000000065F0000-0x000000000660E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2828-268-0x0000000006A50000-0x0000000006A94000-memory.dmp
      Filesize

      272KB

      Download
    • memory/2828-269-0x00000000078E0000-0x0000000007956000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2828-270-0x0000000007FE0000-0x000000000865A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2828-271-0x0000000007960000-0x000000000797A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2828-272-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-262-0x0000000005FB0000-0x0000000006016000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2828-274-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-275-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-261-0x0000000005F40000-0x0000000005FA6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2828-277-0x0000000007CB0000-0x0000000007CD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2828-254-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-279-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2828-253-0x0000000005800000-0x0000000005822000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2828-252-0x00000000058A0000-0x0000000005EC8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2828-251-0x0000000002CC0000-0x0000000002CF6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3840-303-0x0000000000400000-0x0000000000425000-memory.dmp
      Filesize

      148KB

      Download
    • memory/4048-278-0x00000000058E0000-0x00000000058F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4048-307-0x00000000058E0000-0x00000000058F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-273-0x0000000005330000-0x0000000005340000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-250-0x0000000005330000-0x0000000005340000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-249-0x00000000050E0000-0x00000000050EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4920-248-0x0000000005110000-0x00000000051A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4920-247-0x0000000005790000-0x0000000005D34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4920-246-0x0000000000700000-0x0000000000730000-memory.dmp
      Filesize

      192KB

      Download