Analysis
-
max time kernel
139s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2023, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
INV-PL (KF-20230920-KB) ???????????????????(?.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
INV-PL (KF-20230920-KB) ???????????????????(?.exe
Resource
win10v2004-20231023-en
General
-
Target
INV-PL (KF-20230920-KB) ???????????????????(?.exe
-
Size
491KB
-
MD5
d7efde7a4ae17a23044520ef4b1d6580
-
SHA1
625c66ee9ea45af883ddf19d98c730d24838204e
-
SHA256
989acc1c32f6dab02d1d29f18483f94d98b0708ddb057ce7404c348cb2b073f7
-
SHA512
a32589592835e4ce1fe2986e8728add41a75028f7c77885f2a8ed991a9d662419f93f10449f3f0947cb88f078f9d70dbc0803ab78a896146cfbc87be2b24403c
-
SSDEEP
12288:SZEMFB+H+5qrrQaj+o1Dz1eh0910GxAVU9DGe4:x8sSApb910Gay9R
Malware Config
Extracted
raccoon
20d8a2575ef4404ffce8393cb3e5ccc6
http://85.203.26.94:80/
-
user_agent
SunShineMoonLight
Signatures
-
Raccoon Stealer payload 3 IoCs
resource yara_rule behavioral2/memory/4988-13-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral2/memory/4988-16-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral2/memory/4988-18-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3320 set thread context of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 3320 INV-PL (KF-20230920-KB) ___________________(_.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3320 INV-PL (KF-20230920-KB) ___________________(_.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3320 wrote to memory of 2884 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 86 PID 3320 wrote to memory of 2884 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 86 PID 3320 wrote to memory of 2884 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 86 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87 PID 3320 wrote to memory of 4988 3320 INV-PL (KF-20230920-KB) ___________________(_.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"2⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"C:\Users\Admin\AppData\Local\Temp\INV-PL (KF-20230920-KB) ___________________(_.exe"2⤵PID:4988
-