Overview

overview

10

Static

static

3

daniilcode...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daniilcoder_crypted.exe

  • Size

    538KB

  • MD5

    82fb3cc145b2b05aa6750513d393a2b2

  • SHA1

    97b18db9775fc94ffc6d66f17eb5e3a889203d63

  • SHA256

    6d9c24fc94431a1ed496008696fca844cfa262b21a2622651cecf4683a436900

  • SHA512

    a46394d9f541fd56e36d43cacbaf10b2eac97b0bcc33a31c6c0d02772547621da7167a5d86fe047337de0d5ca112c0bcb2d6798ecc77c4673c8c835d96c65884

  • SSDEEP

    12288:V77crGJ/xyKB9UyTLrY1XROcbzu2qgR0h76Z:R+GJ/zrYHb/R0h7

Score
10/10
raccoonf11400b7e6aba41ec29466fc8776c524stealer

Malware Config

Extracted

Family

raccoon

Botnet

f11400b7e6aba41ec29466fc8776c524

C2

http://94.142.138.147:77u

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\daniilcoder_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\daniilcoder_crypted.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:1412
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:1288
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 152
          2⤵
          • Program crash
          PID:4652
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1540 -ip 1540
        1⤵
          PID:508
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2120
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:504
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.0.913559166\683451712" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {603f942c-5d0c-4aec-b479-6e7566a62f3c} 504 "\\.\pipe\gecko-crash-server-pipe.504" 2000 1e2fb9ee658 gpu
              3⤵
                PID:2976
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.1.1694072939\1863274130" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d16680c-71eb-4bfa-9b54-c4390482e918} 504 "\\.\pipe\gecko-crash-server-pipe.504" 2420 1e2fb8fc658 socket
                3⤵
                • Checks processor information in registry
                PID:416
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.2.979430926\1246057185" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3032 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0d9f0a7-724d-4f73-a452-9368a0254bcd} 504 "\\.\pipe\gecko-crash-server-pipe.504" 3300 1e2ffab0458 tab
                3⤵
                  PID:4548
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.3.877899159\1876374259" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a665b0-fe8a-453a-87bd-f7c7e35cade2} 504 "\\.\pipe\gecko-crash-server-pipe.504" 3576 1e2fe563858 tab
                  3⤵
                    PID:4668
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.4.1521894694\26441359" -childID 3 -isForBrowser -prefsHandle 4432 -prefMapHandle 1716 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0015cc65-3332-4155-90d2-64478938c76f} 504 "\\.\pipe\gecko-crash-server-pipe.504" 4540 1e301885158 tab
                    3⤵
                      PID:1452
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.5.1070405386\835198886" -childID 4 -isForBrowser -prefsHandle 4996 -prefMapHandle 5000 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09565fa4-c215-4f06-887b-d91c97e9859e} 504 "\\.\pipe\gecko-crash-server-pipe.504" 5024 1e2ef164a58 tab
                      3⤵
                        PID:2884
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.7.1381583088\2096414116" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747e4437-0f88-4342-8f9a-49b7bd94bf90} 504 "\\.\pipe\gecko-crash-server-pipe.504" 5296 1e301f2b458 tab
                        3⤵
                          PID:2592
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.6.1250473305\180122966" -childID 5 -isForBrowser -prefsHandle 4912 -prefMapHandle 4904 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f08ad2b1-e6c6-4060-baf6-69c78c1b7518} 504 "\\.\pipe\gecko-crash-server-pipe.504" 5056 1e301f2d558 tab
                          3⤵
                            PID:1308
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.8.1155157996\1867057106" -childID 7 -isForBrowser -prefsHandle 5156 -prefMapHandle 5672 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {195d3b1e-5342-42b7-91d0-7c372d1eadd3} 504 "\\.\pipe\gecko-crash-server-pipe.504" 3736 1e301a59b58 tab
                            3⤵
                              PID:5468
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.9.694936071\2053301119" -childID 8 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7801163-74fb-4366-a33e-d8c4f86ef4dc} 504 "\\.\pipe\gecko-crash-server-pipe.504" 6120 1e30494b458 tab
                              3⤵
                                PID:5836
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.10.88537999\1803563774" -childID 9 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f9605f-defe-4688-8755-1e30054b7d11} 504 "\\.\pipe\gecko-crash-server-pipe.504" 5460 1e2fb9ecb58 tab
                                3⤵
                                  PID:5536
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="504.11.678921745\1662900843" -childID 10 -isForBrowser -prefsHandle 5184 -prefMapHandle 6128 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa9dc50a-d8c1-444e-b751-d36f74cfc5f4} 504 "\\.\pipe\gecko-crash-server-pipe.504" 5528 1e2fe298558 tab
                                  3⤵
                                    PID:5544

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cache2\entries\49C650ED78482C065B27CBCFFA7DC1A7EE0D0E01
                                Filesize

                                18KB

                                MD5

                                a5249d5ec356a61001abdf71fcb57643

                                SHA1

                                753bbda2bc6ceaf487d5ceac9a8b60e50e420d64

                                SHA256

                                bdeffea5ea89a45fd17effbcb60f3d3064cd8165ac464a2db95f83cd311365bc

                                SHA512

                                96d4eebb1cf9c4746cb57a4949d19d198c5524a954fc49c7c72d4dc97ceabaeeefdd745bd9b682d565b323dcd050ac8aeb3e1b207c13c74dcbace297e12a8f20

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cache2\entries\BE5B95A2C7BBBCB2AE301D63F2E5473378B07340
                                Filesize

                                24KB

                                MD5

                                fd67564975cdf3016200d58348533ae7

                                SHA1

                                b405a212c77a89b603db51748ee4bfcd6665f379

                                SHA256

                                24f1bfbe8289c52983b25af55f6535ee954d0486a24bf9b8f1262205fbb02853

                                SHA512

                                c386e4d1c99e7deabfc7b8f0d49dd64eae81fc9c81256ba5e504144c638917d2f8fbe0f70793bc58f7f6c8b573f70b84c0d4cd093ff6d964fd6e3cee7392540b

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js
                                Filesize

                                6KB

                                MD5

                                d074417877360488d4c1f3d5a290bc46

                                SHA1

                                ec9570b3b66a333e4748f618fb0c4ba8824630e7

                                SHA256

                                73173727b4f2d465336c02ee05a4d71ee7e06203893a9e775f35436e7ae1061a

                                SHA512

                                7dc1830b7717479cb0b1a19b284056ba7638f7b1360f4d029489f19c0ca9cdcde0621c6bf612e30d1018fff6941108baaedc76ea0de6e2e2507496d7bf82fc2f

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4
                                Filesize

                                3KB

                                MD5

                                b110b9cda2b9c225e3e88d1586a48715

                                SHA1

                                e61456e43fb0459a972087c792d2af1d52aebd53

                                SHA256

                                b63cb4512d9838b780a000b9fa5afbb2fa0d38cdd331647acbe71eb4630c8254

                                SHA512

                                a8dc22b9bc555763bc5cbf32859598da4ac9c72ab5c1866ea72faf094beb37302a24667942de7ccebd677651a75c36b594d8147836f6e3f0bdba0b1c5d911799

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore.jsonlz4
                                Filesize

                                3KB

                                MD5

                                8b62aeea6baf09ddb43973ec36183d84

                                SHA1

                                3a0b6cab75fd228fe367ed1263e879ff8db30934

                                SHA256

                                afa03e8e8101a04ee5dbe09b4d261dfacc59c8a86eab57db9b15006f475186d8

                                SHA512

                                e452be1dc58c682ca700db5d380c7893a3f10b7c4946f525f6aaaa7a520ba01a7944834e7f231f94226f8b7bcf9da5d458c3eef41a5402b90edb96677526d99b

                                Download Submit

                              • memory/1288-134-0x0000000000400000-0x000000000040F000-memory.dmp

                                Filesize

                                60KB

                                Download

                              • memory/1288-139-0x0000000000400000-0x000000000040F000-memory.dmp

                                Filesize

                                60KB

                                Download

                              • memory/1540-133-0x0000000000390000-0x000000000041D000-memory.dmp

                                Filesize

                                564KB

                                Download

                              • memory/2120-148-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-149-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-150-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-151-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-152-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-147-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-146-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-141-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-142-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2120-140-0x000001B6B2730000-0x000001B6B2731000-memory.dmp

                                Filesize

                                4KB

                                Download