Analysis
-
max time kernel
29s -
max time network
25s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
17-06-2023 14:39
General
-
Target
OriginalBuild-noAnti-cleaned_Slayed.exe
-
Size
254KB
-
MD5
d74faea7b03c50e52765b9267742766f
-
SHA1
003fe6b38214c3d09f63b9addf8dffefb2c8e4c8
-
SHA256
91dc9d4244f9042ddaf4a1e19c38697739acfb29a674c5f64307c666b98587e5
-
SHA512
1516e193e965a570f3df949030c484b1abaca99975b834b2b4489a66391225a98adc1e8ec367a9955b31bcb9a6cb74114585fe181a86d672e7d27967e635b1c9
-
SSDEEP
6144:AqCXwQB0GlRj+JDvdDrbE/8rA27oPEg4UkkX0cD:AJXwQIvdDdAXPEr+
Malware Config
Extracted
raccoon
91c4c1e32c1544bd463348a0c42e7865
http://94.142.138.102:80/
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OriginalBuild-noAnti-cleaned_Slayed.exe"C:\Users\Admin\AppData\Local\Temp\OriginalBuild-noAnti-cleaned_Slayed.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
272KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
112KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB