Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2023 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.5MB

  • MD5

    09f16ecc21bd2d570fd6c6411128b714

  • SHA1

    71dd57498b1989e7c61e1c4865f306e5d5e222f2

  • SHA256

    0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

  • SHA512

    2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

  • SSDEEP

    49152:KBrY2fc7XyDjhZ0j5Jl34KZbGiJyXoogg:ArncjyDNajHZbGi4

Score
10/10
raccoonpersistencestealer

Malware Config

Extracted

Family

raccoon

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\Desktop\UClient.exe
      "C:\Users\Admin\Desktop\UClient.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe
        "C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe" /d C:\Users\Admin\Desktop\UClient.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Admin\Desktop\UClient.exe
          "C:\Users\Admin\Desktop\UClient.exe" /t 2708
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\UClient\procid
    Filesize

    4B

    MD5

    712a3c9878efeae8ff06d57432016ceb

    SHA1

    7fd0dc28db1b5252f0aca04247cf21853f772e70

    SHA256

    681d12400213531e5fdef04c597ac192d359c2d0351df6f22f0240134d873350

    SHA512

    ff2b49d3c31ae6428b7477bc6b59d786e0902aa4758ac5b3c9c86d96fcf564bd473bc5a8778cd6fab9c2387a487d93bc5afe8a246af0affb45ed7c5e3acda95b

    Download Submit

  • C:\Users\Admin\AppData\Local\UClient\procid
    Filesize

    4B

    MD5

    aaaccd2766ec67aecbe26459bb828d81

    SHA1

    1bbb8b7b99d2acc79981a259abe0a8c15bdc2239

    SHA256

    8d7c658f9476ff2c201e41df6fb6ae0b82528a5b19a6b9f3bae83fd7bdb87b75

    SHA512

    c512770b178c913369ae4e2562c90b40c32e4e3312d00a221a888827f03ba5c0b015f1198f84abcca4bec9eaa9354af506c85ea8c92bbeaea68cd00a5148a769

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\UClient.db
    Filesize

    28KB

    MD5

    7824bf7d9df77f3df3f65229208dd571

    SHA1

    a877b7efe39b772049324c4cd6dde0134bf79726

    SHA256

    6166ae0138a187f51a931f57c0a5a13ac3775ae99e3ec7823b5963b19621a755

    SHA512

    c33fe843bf90a0e6154dfa1246d2eb6aa6b03e570c6a102fd4883535dbc741f2dba7be91c8df4903bd486f393f1a262bb2eab48024e9b709ae18df42fcd2156d

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\UClient.db
    Filesize

    28KB

    MD5

    8ae98b8e870cf44006373ce943c18571

    SHA1

    553153810bc46edb92e6c79d9af369e22bbebcd8

    SHA256

    dda9ef7105ff40509b9558d4be90fc73a6f892a2e30ac585b54480bd23c3816e

    SHA512

    5926afba56b344a78026fa267ed95c3ad9bd3bf583e472413ddd8638b7c46604391c25a89c96922a3b42f3c4ed6688096d0d5c9ef128959428e89fdb482a07a7

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\appgroup.xml
    Filesize

    79B

    MD5

    8258c3fb494764b7e4d1dfa6f98b5249

    SHA1

    7aec9fe45652ff692e8f4d83e0b5141e5d8bf6ef

    SHA256

    27b2f8bab527c849aaa7b7742614e64bfe7bc72efe34bc020df20019f19258d3

    SHA512

    05570f3ea08aabade658bb85e9d1236f8615aba4604edb19893298b1e3cdd25f4cda0057e9152ac3daa38f9716bab038005ccbae61cb414efdfa748f4c211f95

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\apporder.xml
    Filesize

    79B

    MD5

    bac02ebf3111d51121a9d094e148a690

    SHA1

    04f08111791d2057c858c88bfc7ebbe1e2bd2328

    SHA256

    b3126694d4041c8d808d33aa9ae6e8199798ceb40b527e27dc5846bed21a5d5b

    SHA512

    eaa3a03134106717d81d86940ecca68fa1f01f7173b4f7656a0af16b03e0fdc5668bae874071559ac8e38f882af8243e11581fb576cec20fe42492881b0903a0

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\apps\UClient_Agent\app.esc
    Filesize

    762B

    MD5

    d0665abc978ac86f11570ea527ca89ae

    SHA1

    115415f4e3b7e9fe2e3c8ff97877865c044f8afd

    SHA256

    18f7154fb3890ee495b691f67a9c2f6aeac0484303d3a0aa70abd3a7665a9337

    SHA512

    847f1c2446ec49963cacb37643520c7c41840f90f56a7ad5ba4369b4a3a3e5d2c0c3fdadabc0951eb01b51b991aa67fbd7e07c068ca3786424e0d22b57b452c7

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\downloads\ubrowser\app.esc
    Filesize

    1KB

    MD5

    291a0a842babcd20b20cd66f4a3e57b4

    SHA1

    f719e66c4ae88c814a3d08c7af5d55f8d2bbb403

    SHA256

    e56578d66998a8964516fe14283ff26d569edd1fe74c1eaaf40dc14ba8fd36ed

    SHA512

    9fe88d2bc82211859c6f89450aad61a9e040647e0c64e6e6fe7f429fa81ac93898e2fde0fb6283eb7d3d706839eb088131a3b6726fcb237fa40e7f47e690337a

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\log\main.log
    Filesize

    241B

    MD5

    31ca74e105368cca4e55491c898fa0ec

    SHA1

    70e9ba4ccdcc9c40f0bc928b7b447f8680eba775

    SHA256

    539a0f2c5f96705756ebebf4d11189d22773ed2734bd70487716d939f5b24647

    SHA512

    602649b3f355a6cd3c5c4f5927fd9e5d43f16ab2b11cd2dad07576e2f644653f85569ff491224bbcf67ee3f1dcb018f0301f13a8578304eaec1054cfe8176d2a

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\log\main.log
    Filesize

    2KB

    MD5

    9fb1488f6edfa6d6e4e43faa3cc5b979

    SHA1

    de17396bb36bac38473d360b4624a7f45b13d1f0

    SHA256

    3b88ae9410ed658e1bf411a7053adfb8a4332b6bd7b0cf29aba110debcce046b

    SHA512

    561a96e4b668b87b9c36f62cd83c92cbb1b2b99b6f75441e1cb0c529f200d190addc217be16a14a050beefd80d47a5e036d5d73fea54d17a86fe8678f561715c

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\log\main.log
    Filesize

    4KB

    MD5

    b46a075fec7ae823fe191463105079cc

    SHA1

    69c8d42245381a22bf63ed1fb9ddea688b751359

    SHA256

    92b193c94745f1bf8e8fe553a7c4a2e61b54c3c53bce9b619e19858270d770b8

    SHA512

    b60d4dd1d59789cddc118270e1b1ec678cca31deadd02076e4278d8fd1ba7862b575411ac044f65e55c157b290e059d8d32dbf2b99162cb60cb43658357c8810

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\setting.cfg
    Filesize

    15B

    MD5

    16ee1f8ca34fc082903e32fce6025244

    SHA1

    9552628f52690d025b6f49011971eecc4b1b58a7

    SHA256

    81ad6a1a0fb68aac9c5066dbc3e9f8e8fcac4cb8b634935043cdc58f914dd133

    SHA512

    bb15cba4c1b4b2339fb1fe94a9d805c0bd02d413e2d0a9da5522295610da21bbb7c3ccbc6044b84e5ddb465434c1cde24c9a8cdcbc1fb09c787e32d3c2e6a902

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe
    Filesize

    6.6MB

    MD5

    35e7c4b4062e78cd42451c4bb4d78176

    SHA1

    4bb7f98325714354a29a2ded751ded67d8ba718e

    SHA256

    dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

    SHA512

    3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe
    Filesize

    6.6MB

    MD5

    35e7c4b4062e78cd42451c4bb4d78176

    SHA1

    4bb7f98325714354a29a2ded751ded67d8ba718e

    SHA256

    dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

    SHA512

    3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

    Download Submit

  • C:\Users\Admin\AppData\Local\uclient\temp\UClient_new.exe
    Filesize

    6.6MB

    MD5

    35e7c4b4062e78cd42451c4bb4d78176

    SHA1

    4bb7f98325714354a29a2ded751ded67d8ba718e

    SHA256

    dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

    SHA512

    3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\UClient.lnk
    Filesize

    619B

    MD5

    c569734c204e698f7a52fd3e7a94ba46

    SHA1

    4c91978b31ba880a2efb21e26daa05c9eb7eb70a

    SHA256

    77dbab10b2b7941588b55e47996306cbd60fe27bdf01e12da12286f3c0d7f3a6

    SHA512

    da86a8b3cdb43435cb8e246d0c4bc691ba9ba3e55d98ca55180224cfa6877820d083771232d8870ffbfb5771e2a966327195c2b0c2f09cefe1ea470e3ac3506a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\卸载UClient.lnk
    Filesize

    621B

    MD5

    5b3a8ac553fff4956c7747707092f6b4

    SHA1

    649d109e94eebe474edc486ad8d16f6ba96258a5

    SHA256

    73d8f52c52642b829a03f91408bcc5e0a28315f062cf24eeedf9375eda9a1081

    SHA512

    6ae22e572f10a5dc2f12d7682b1eb573c09e2a3469a57aafed0cf74d399c0db8777a820d4d8882f49a1b543c102ddeb9304a65967ea93af436d5c5721588edde

    Download Submit

  • C:\Users\Admin\Desktop\UClient.exe
    Filesize

    1.5MB

    MD5

    09f16ecc21bd2d570fd6c6411128b714

    SHA1

    71dd57498b1989e7c61e1c4865f306e5d5e222f2

    SHA256

    0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

    SHA512

    2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

    Download Submit

  • C:\Users\Admin\Desktop\UClient.exe
    Filesize

    1.5MB

    MD5

    09f16ecc21bd2d570fd6c6411128b714

    SHA1

    71dd57498b1989e7c61e1c4865f306e5d5e222f2

    SHA256

    0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

    SHA512

    2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

    Download Submit

  • C:\Users\Admin\Desktop\UClient.exe
    Filesize

    1.5MB

    MD5

    09f16ecc21bd2d570fd6c6411128b714

    SHA1

    71dd57498b1989e7c61e1c4865f306e5d5e222f2

    SHA256

    0f6b398bf5f91af3ec82ad6a7417ec3dd71f7f220409d5c327b63a4c7334e844

    SHA512

    2b89d3c3e6722da0c7acfb8468aebfe112fadda93f71708e48035b9bb0ea35120a0eb1d04c80c4d2c4a2004f866f71d8a072f1f8ebc567d2813b243ac21488e1

    Download Submit

  • C:\Users\Admin\Desktop\UClient.exe
    Filesize

    6.6MB

    MD5

    35e7c4b4062e78cd42451c4bb4d78176

    SHA1

    4bb7f98325714354a29a2ded751ded67d8ba718e

    SHA256

    dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

    SHA512

    3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

    Download Submit

  • C:\Users\Admin\Desktop\UClient.exe
    Filesize

    6.6MB

    MD5

    35e7c4b4062e78cd42451c4bb4d78176

    SHA1

    4bb7f98325714354a29a2ded751ded67d8ba718e

    SHA256

    dc723e1fb4c3c89da65c762127b59f5740a332fdd697b419c3f2cdb64cde207f

    SHA512

    3fd0d906e021681dc6e5fc1f407b9f813ccecef94cd9b67c5839d9a5f2442657627c1113aede49a4870afc49bc1cc97c130728978f33fc76d75d4f957a5a1118

    Download Submit