Overview

overview

10

Static

static

3

set-up.exe

windows7-x64

set-up.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2023 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    set-up.exe

  • Size

    371KB

  • MD5

    192e4c5d8014a5ea0fc2e9037c9495fb

  • SHA1

    567611db1e7e4f55c441e06665335938ba8b32d4

  • SHA256

    f050a85f54e4d19d5c9ee302406922889e518df2607d67606f8f952f97853de6

  • SHA512

    0a9fdece10945ce2f21474c46ae4f49d372f30653022b524229e8837aca8955f4fc854c662d5b45aff98c61f356f8dcb4723e81079813ccf9cfa858d17d92c80

  • SSDEEP

    6144:94A7hhxG1koJKi6rBRNAO4EiAsnbzrpVnoHBiuqavmYrfefn/5:uChhxwUNiWsnbPp1KBbr3rWfnB

Score
10/10
raccoonbfbcd0ada8d3bffa2d0bd90c2e930c27discoveryspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

bfbcd0ada8d3bffa2d0bd90c2e930c27

C2

http://185.157.120.15:80/

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\set-up.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1144
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1144-145-0x0000000006C60000-0x0000000006CD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1144-135-0x00000000062C0000-0x00000000068D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1144-133-0x0000000000F50000-0x0000000000F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1144-160-0x0000000007B70000-0x000000000809C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1144-137-0x0000000005DF0000-0x0000000005EFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1144-138-0x0000000005D20000-0x0000000005D5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1144-139-0x0000000005C90000-0x0000000005CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-141-0x0000000005C90000-0x0000000005CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-140-0x0000000005C90000-0x0000000005CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-142-0x0000000006030000-0x0000000006096000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1144-143-0x0000000007090000-0x0000000007634000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1144-144-0x0000000006BC0000-0x0000000006C52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1144-161-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1144-134-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1144-136-0x0000000005CC0000-0x0000000005CD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1144-153-0x0000000006EB0000-0x0000000007072000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3684-148-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-152-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-154-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-155-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-156-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-157-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-147-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-159-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-158-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-146-0x000001F251FD0000-0x000001F251FD1000-memory.dmp

    Filesize

    4KB

    Download