raccoon | fd932cc727c801502c3c3250efa825a5bec52aa3343ce2d249c914c27288f425

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

265KB
MD5

5a89046e22c085a2891cdd999e0f0d47
SHA1

92786a72b76446c2d8c0d7013e573243e87839f7
SHA256

fd932cc727c801502c3c3250efa825a5bec52aa3343ce2d249c914c27288f425
SHA512

a4ca0b3ca7286d08ff848ede99bb01d3b116596fda2fa29cd2d200f5bf99313909d644aedccecc17af498ccfc84276ddcee5e1c55668852de3113b8e72a5d451
SSDEEP

3072:7DFaQytaulhnVAcMAh99Xn2jJbNMGfx3HzDapOUYkwxFZ4:fFH0nVJMAj9XnobiSx3TDapq

Score

10^/10

raccoon smokeloader stealc backdoor collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Extracted

Family

stealc

http://dskflherlkhopihsf.com

Attributes

url_path
/d414f888bed8c202.php

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3948-47-0x0000000002C10000-0x0000000002C26000-memory.dmp	family_raccoon_v2
behavioral2/memory/3948-56-0x0000000000400000-0x0000000002ABF000-memory.dmp	family_raccoon_v2
behavioral2/memory/3948-143-0x0000000000400000-0x0000000002ABF000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

36CC.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 36CC.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	36CC.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36CC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	36CC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36CC.exe

Deletes itself 1 IoCs

Processes:

pid process

3192
Executes dropped EXE 5 IoCs

Processes:

36CC.exe395E.exe3B04.exe3DC5.exeWithdrawal.pif

pid process

4460 36CC.exe
224 395E.exe
3948 3B04.exe
1036 3DC5.exe
4452 Withdrawal.pif
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32.exeWithdrawal.pif

pid process

3756 regsvr32.exe
796 regsvr32.exe
4452 Withdrawal.pif
4452 Withdrawal.pif
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3192

pid	process
4460	36CC.exe
224	395E.exe
3948	3B04.exe
1036	3DC5.exe
4452	Withdrawal.pif

pid	process
3756	regsvr32.exe
796	regsvr32.exe
4452	Withdrawal.pif
4452	Withdrawal.pif

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\36CC.exe	themida
C:\Users\Admin\AppData\Local\Temp\36CC.exe	themida
behavioral2/memory/4460-57-0x0000000000B80000-0x0000000001398000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

36CC.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 36CC.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

36CC.exe

pid process

4460 36CC.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

395E.exe

description pid process target process

PID 224 set thread context of 3744 224 395E.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1372 224 WerFault.exe 395E.exe
2380 3948 WerFault.exe 3B04.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	36CC.exe

pid	process
4460	36CC.exe

description	pid	process	target process
PID 224 set thread context of 3744	224	395E.exe	AppLaunch.exe

pid	pid_target	process	target process
1372	224	WerFault.exe	395E.exe
2380	3948	WerFault.exe	3B04.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Withdrawal.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Withdrawal.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Withdrawal.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3624 tasklist.exe
4744 tasklist.exe

pid	process
3624	tasklist.exe
4744	tasklist.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3372 PING.EXE

pid	process
3372	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3380	file.exe
3380	file.exe
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3192
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

file.exe

pid process

3380 file.exe
3192
3192
3192
3192

pid	process
3192

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

tasklist.exeAppLaunch.exetasklist.exe

description	pid	process
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeDebugPrivilege	3624	tasklist.exe
Token: SeDebugPrivilege	3744	AppLaunch.exe
Token: SeDebugPrivilege	4744	tasklist.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Withdrawal.pif

pid process

3192
3192
3192
4452 Withdrawal.pif
3192
3192
4452 Withdrawal.pif
4452 Withdrawal.pif
3192
3192
3192
3192
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Withdrawal.pif

pid process

3192
3192
3192
4452 Withdrawal.pif
4452 Withdrawal.pif
4452 Withdrawal.pif

pid	process
3192
3192
3192
4452	Withdrawal.pif
3192
3192
4452	Withdrawal.pif
4452	Withdrawal.pif
3192
3192
3192
3192

pid	process
3192
3192
3192
4452	Withdrawal.pif
4452	Withdrawal.pif
4452	Withdrawal.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exe395E.exe3DC5.execmd.execmd.exe

description	pid	process	target process
PID 3192 wrote to memory of 2380	3192		regsvr32.exe
PID 3192 wrote to memory of 2380	3192		regsvr32.exe
PID 2380 wrote to memory of 3756	2380	regsvr32.exe	regsvr32.exe
PID 2380 wrote to memory of 3756	2380	regsvr32.exe	regsvr32.exe
PID 2380 wrote to memory of 3756	2380	regsvr32.exe	regsvr32.exe
PID 3192 wrote to memory of 4568	3192		regsvr32.exe
PID 3192 wrote to memory of 4568	3192		regsvr32.exe
PID 4568 wrote to memory of 796	4568	regsvr32.exe	regsvr32.exe
PID 4568 wrote to memory of 796	4568	regsvr32.exe	regsvr32.exe
PID 4568 wrote to memory of 796	4568	regsvr32.exe	regsvr32.exe
PID 3192 wrote to memory of 4460	3192		36CC.exe
PID 3192 wrote to memory of 4460	3192		36CC.exe
PID 3192 wrote to memory of 4460	3192		36CC.exe
PID 3192 wrote to memory of 224	3192		395E.exe
PID 3192 wrote to memory of 224	3192		395E.exe
PID 3192 wrote to memory of 224	3192		395E.exe
PID 3192 wrote to memory of 3948	3192		3B04.exe
PID 3192 wrote to memory of 3948	3192		3B04.exe
PID 3192 wrote to memory of 3948	3192		3B04.exe
PID 3192 wrote to memory of 1036	3192		3DC5.exe
PID 3192 wrote to memory of 1036	3192		3DC5.exe
PID 3192 wrote to memory of 1036	3192		3DC5.exe
PID 3192 wrote to memory of 3668	3192		explorer.exe
PID 3192 wrote to memory of 3668	3192		explorer.exe
PID 3192 wrote to memory of 3668	3192		explorer.exe
PID 3192 wrote to memory of 3668	3192		explorer.exe
PID 3192 wrote to memory of 1940	3192		explorer.exe
PID 3192 wrote to memory of 1940	3192		explorer.exe
PID 3192 wrote to memory of 1940	3192		explorer.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 224 wrote to memory of 3744	224	395E.exe	AppLaunch.exe
PID 1036 wrote to memory of 3748	1036	3DC5.exe	cmd.exe
PID 1036 wrote to memory of 3748	1036	3DC5.exe	cmd.exe
PID 1036 wrote to memory of 3748	1036	3DC5.exe	cmd.exe
PID 3748 wrote to memory of 3712	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 3712	3748	cmd.exe	cmd.exe
PID 3748 wrote to memory of 3712	3748	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3624	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 3624	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 3624	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 1924	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 1924	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 1924	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 4744	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 4744	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 4744	3712	cmd.exe	tasklist.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	findstr.exe
PID 3712 wrote to memory of 4272	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4272	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4272	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4384	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4384	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4384	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3868	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3868	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3868	3712	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3380

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2F29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2F29.dll
2⤵
- Loads dropped DLL
PID:3756

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3370.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3370.dll
2⤵
- Loads dropped DLL
PID:796

C:\Users\Admin\AppData\Local\Temp\36CC.exe
C:\Users\Admin\AppData\Local\Temp\36CC.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4460

C:\Users\Admin\AppData\Local\Temp\395E.exe
C:\Users\Admin\AppData\Local\Temp\395E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 296
2⤵
- Program crash
PID:1372

C:\Users\Admin\AppData\Local\Temp\3B04.exe
C:\Users\Admin\AppData\Local\Temp\3B04.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 7232
2⤵
- Program crash
PID:2380

C:\Users\Admin\AppData\Local\Temp\3DC5.exe
C:\Users\Admin\AppData\Local\Temp\3DC5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Respective & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:1924

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
4⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 32497
4⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Legislative 32497\C
4⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\24464\32497\Withdrawal.pif
32497\Withdrawal.pif 32497\C
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4452

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:3372

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Regional + Confirm + Returned + Wt + Inspector 32497\Withdrawal.pif
4⤵
PID:4384

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3668

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 224 -ip 224
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3948 -ip 3948
1⤵
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAKEGIJE
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JJJEGHDA
Filesize
92KB

MD5
21363921c6943b0ba12e8c3cbd47a7fd

SHA1
03bb94c70b12783c4d1962cc7cb9f752ff8a9a54

SHA256
2f023e72c5bc9804a60441c14980fa8de30d3118e3d7ce67d8951989b1d90c4a

SHA512
3749d95295a281e18f7eca6bdecc45d0d08bc98a4da5d5b8ab21cd5022eed125b1b7a4b96c70ed486750be4eabd4da325ab9a7a1fb497dda4c4f30f9adf8da43

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\32497\C
Filesize
377KB

MD5
4ec4ad960da2cb4684b48430d1551d96

SHA1
cdb217c2b32e1942716c7179413290c29502921b

SHA256
d391518880bc55220e1f5839e555632e44c0e7687a93a1c88f10ef68ecb68d9b

SHA512
478d90b8b053806a18ba7a2f5361cd97fb80282791fa768d75a272c135deaa4fb92f04c632afb2bfe7efcbd116bc42e9644fe4d5e1981ecfb005b084ebb27fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\32497\Withdrawal.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\32497\Withdrawal.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Confirm
Filesize
243KB

MD5
d1a9550b8078565b53936083567f9d6e

SHA1
d53d9a0e549ef9c78d75ce559947e9828529ad08

SHA256
ae673e836d3e83e8855f534fb477f3a7dd37646c9ac8504571f478a484f84283

SHA512
4c911f9a61b31c623c8bd7d8b1575feb5ef9d55cb1b19080d51457b41af9ac6c85092ca77982eb79cc10fb925b185aa775a67dd24b26092bc250b91ac7de8c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Inspector
Filesize
93KB

MD5
86fcffd7369255c4767ddec3acf337f9

SHA1
26925b7670b3517bb8c62435cb19e237afbdc5d1

SHA256
3f67211ce9f141790470220d1d027d6dcf4eeff45784656a12e827127b3c1646

SHA512
6881cebf2fc9dbeb1f4b6eb9c6ed80caea76b8a03641761264a27a400d5e7f48b87b5e0bc0a78e964772e7e4e50ddd5ecae801c90c95b4e81803010027c0bef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Legislative
Filesize
377KB

MD5
4ec4ad960da2cb4684b48430d1551d96

SHA1
cdb217c2b32e1942716c7179413290c29502921b

SHA256
d391518880bc55220e1f5839e555632e44c0e7687a93a1c88f10ef68ecb68d9b

SHA512
478d90b8b053806a18ba7a2f5361cd97fb80282791fa768d75a272c135deaa4fb92f04c632afb2bfe7efcbd116bc42e9644fe4d5e1981ecfb005b084ebb27fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Regional
Filesize
242KB

MD5
3dc2a9b76a1d6565091a348e2b1f8751

SHA1
79565e6821e0f4c1a8d28494365d3b3deb354140

SHA256
acf6ace5d4162c30d687204df636013d66167a1a01af56e7c2721fe32a156558

SHA512
ae6861c940bb3609d361e043f73c54882091adb1de34e8217b5787639fb7035e6d358cd2418e1c967c97886193ec9a54c95b9ea9fb681b18a6c682897e24656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Respective
Filesize
13KB

MD5
baa07a42f9394b89798bbd46e023a0e7

SHA1
ce4a0bd8d304257da05356ef6a4f090ece478970

SHA256
dc096f15b8028340467f843042717ff07a1dddf6a892cf76352e537b1edebd23

SHA512
ae79d4e6f551fe5aff023dc15d3f3149b39134353eb0d6f3052560a25b9281c0ff81aefcc7053822af113e1bd04a6c976294d2790e3a3684452bdc09be505a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Returned
Filesize
245KB

MD5
8d76cf127908762d845352d98c418c7e

SHA1
e744036f129a994fe6d005879a427af1403a896a

SHA256
1e802924b485b75d71cd94db174e55617562366c48857e444f3b292a663a5ac6

SHA512
5ff995540133d2c7db6a9df3adde716a04252fa69dfd5bbb923272745926b1650b6681eee6730583452f2255ea8909737ae588a76ffc6c23506b96730088dd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\24464\Wt
Filesize
101KB

MD5
9d6d4052e082931286be4b16d3c602b1

SHA1
171b754598811461691891bc8db914238b1dc4c7

SHA256
2ecf3307edbcee6a26ca2108007517375f613056f7bb1bc59926177a5238b88e

SHA512
3de91d65e74345646901ca1ac8b353e72a07a61693d38e52e7d292174c2dec087f4285d4d6d61a984535aecc7106d72c8f598c9603006358e234a310f91c00ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F29.dll
Filesize
2.4MB

MD5
60278c734d0e8005e0270d207d55d56d

SHA1
456c2f76b1715098edc0d2fd2ec012f3b05934d8

SHA256
91cb3641a6dc7c29319270f008121c4a6cd3ee0f8be2b70952ff6217d0c80b37

SHA512
e96c547b041ba68adba9ab69bfb711d280b4c47e186ed9d2248d862d138b656676fb4044737e60d661c7e2d8ecfc7fc838d490b03b5c3977119d64ec8a05f53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F29.dll
Filesize
2.4MB

MD5
60278c734d0e8005e0270d207d55d56d

SHA1
456c2f76b1715098edc0d2fd2ec012f3b05934d8

SHA256
91cb3641a6dc7c29319270f008121c4a6cd3ee0f8be2b70952ff6217d0c80b37

SHA512
e96c547b041ba68adba9ab69bfb711d280b4c47e186ed9d2248d862d138b656676fb4044737e60d661c7e2d8ecfc7fc838d490b03b5c3977119d64ec8a05f53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3370.dll
Filesize
2.5MB

MD5
3a8d9dad9e17e536c58ddda0b0a81b55

SHA1
b910b34815ec0d9c4cb20913906b9698df8c7d12

SHA256
28355179a39e174af1789a6e02ab8d22efa0bd035330d3c0f6d2f23e71c5f553

SHA512
490fe1308ca1a51e0f12fc2d2cba57a624669a8356a5afa7ddd4dfb7e8e8a28b284441f609d902c19c4251b8b642997242783bc049421e86b6990b8c5cd8ec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\3370.dll
Filesize
2.5MB

MD5
3a8d9dad9e17e536c58ddda0b0a81b55

SHA1
b910b34815ec0d9c4cb20913906b9698df8c7d12

SHA256
28355179a39e174af1789a6e02ab8d22efa0bd035330d3c0f6d2f23e71c5f553

SHA512
490fe1308ca1a51e0f12fc2d2cba57a624669a8356a5afa7ddd4dfb7e8e8a28b284441f609d902c19c4251b8b642997242783bc049421e86b6990b8c5cd8ec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\36CC.exe
Filesize
3.1MB

MD5
f0bf89183524be68ffc2a1517c4cd08a

SHA1
874f761c7294e14a405cb5f32f36222462beb8c9

SHA256
e1a82efddab700a97eaf3fdcaffb9aa0922703a70ed3d9826c075ede54dc3e12

SHA512
c9d7fa32be98846e2a9680517a324f63a81379c61d6495edff62b9facaad0dfb38a2c3c0cbac1ea4db0e7b692bf3d990080ea69c98b46db718451ca7ac139a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\36CC.exe
Filesize
3.1MB

MD5
f0bf89183524be68ffc2a1517c4cd08a

SHA1
874f761c7294e14a405cb5f32f36222462beb8c9

SHA256
e1a82efddab700a97eaf3fdcaffb9aa0922703a70ed3d9826c075ede54dc3e12

SHA512
c9d7fa32be98846e2a9680517a324f63a81379c61d6495edff62b9facaad0dfb38a2c3c0cbac1ea4db0e7b692bf3d990080ea69c98b46db718451ca7ac139a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\395E.exe
Filesize
263KB

MD5
8984791137a338a066c32502b6ab7342

SHA1
1041dfabf8dbf8e67914cb82fa94b201c36c6afd

SHA256
c71f495f0867c7fb4d588bce1f91ff1ddfbe0e1452e696a1a9113551871a0b07

SHA512
b20cf0d32a7bdc849301f249eb42cc6e3931a79fecc6f119f67e4f4bac4b2b1d8af9d7ccff3c58efbe448b2078d3bb51f2b2979e5ef283d4354d8976660d5e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\395E.exe
Filesize
263KB

MD5
8984791137a338a066c32502b6ab7342

SHA1
1041dfabf8dbf8e67914cb82fa94b201c36c6afd

SHA256
c71f495f0867c7fb4d588bce1f91ff1ddfbe0e1452e696a1a9113551871a0b07

SHA512
b20cf0d32a7bdc849301f249eb42cc6e3931a79fecc6f119f67e4f4bac4b2b1d8af9d7ccff3c58efbe448b2078d3bb51f2b2979e5ef283d4354d8976660d5e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B04.exe
Filesize
291KB

MD5
1de5eb2944545479b07139c4b4227cb4

SHA1
6baf1786af938b22a92b5f515f9d4ee131e6495a

SHA256
876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1

SHA512
75322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B04.exe
Filesize
291KB

MD5
1de5eb2944545479b07139c4b4227cb4

SHA1
6baf1786af938b22a92b5f515f9d4ee131e6495a

SHA256
876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1

SHA512
75322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC5.exe
Filesize
1.2MB

MD5
a77bad084fbb9aaa5f7d7b30cf5ae249

SHA1
a609fb074d293745872d2e3ca2f3a555395ba047

SHA256
a182ff451fb772a8e8c99483234659f381a6822b72f36b4cb6a5a32d9de70d06

SHA512
24181e10f6b3349b049f04e0cd81d5fe8b33cbcdc4e46901f8705110ad89e417e07e215293b7c52452fceaddf264b61c5f8c7f3c1518441a0d40b8ee8a3741c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DC5.exe
Filesize
1.2MB

MD5
a77bad084fbb9aaa5f7d7b30cf5ae249

SHA1
a609fb074d293745872d2e3ca2f3a555395ba047

SHA256
a182ff451fb772a8e8c99483234659f381a6822b72f36b4cb6a5a32d9de70d06

SHA512
24181e10f6b3349b049f04e0cd81d5fe8b33cbcdc4e46901f8705110ad89e417e07e215293b7c52452fceaddf264b61c5f8c7f3c1518441a0d40b8ee8a3741c2

Download Submit
memory/796-97-0x0000000002580000-0x00000000026B2000-memory.dmp

Filesize
1.2MB

Download
memory/796-102-0x00000000026C0000-0x00000000027D6000-memory.dmp

Filesize
1.1MB

Download
memory/796-99-0x00000000026C0000-0x00000000027D6000-memory.dmp

Filesize
1.1MB

Download
memory/796-104-0x00000000026C0000-0x00000000027D6000-memory.dmp

Filesize
1.1MB

Download
memory/796-23-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download
memory/796-24-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/1036-144-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1036-147-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1036-62-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1940-61-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1940-73-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1940-77-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/3192-4-0x0000000002840000-0x0000000002856000-memory.dmp

Filesize
88KB

Download
memory/3380-5-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/3380-3-0x0000000000400000-0x0000000000B9C000-memory.dmp

Filesize
7.6MB

Download
memory/3380-1-0x0000000000BD0000-0x0000000000CD0000-memory.dmp

Filesize
1024KB

Download
memory/3380-2-0x0000000000CE0000-0x0000000000CEB000-memory.dmp

Filesize
44KB

Download
memory/3668-96-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/3668-71-0x0000000000600000-0x0000000000680000-memory.dmp

Filesize
512KB

Download
memory/3668-59-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/3668-54-0x0000000000390000-0x00000000003FB000-memory.dmp

Filesize
428KB

Download
memory/3744-124-0x0000000005D60000-0x0000000005DD6000-memory.dmp

Filesize
472KB

Download
memory/3744-128-0x0000000006C50000-0x0000000006E12000-memory.dmp

Filesize
1.8MB

Download
memory/3744-118-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/3744-98-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3744-126-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/3744-129-0x0000000007350000-0x000000000787C000-memory.dmp

Filesize
5.2MB

Download
memory/3744-127-0x0000000006270000-0x00000000062C0000-memory.dmp

Filesize
320KB

Download
memory/3744-146-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/3744-110-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/3744-111-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3756-122-0x0000000002F70000-0x000000000308F000-memory.dmp

Filesize
1.1MB

Download
memory/3756-116-0x0000000002F70000-0x000000000308F000-memory.dmp

Filesize
1.1MB

Download
memory/3756-108-0x0000000002E30000-0x0000000002F6D000-memory.dmp

Filesize
1.2MB

Download
memory/3756-18-0x0000000010000000-0x0000000010267000-memory.dmp

Filesize
2.4MB

Download
memory/3756-123-0x0000000002F70000-0x000000000308F000-memory.dmp

Filesize
1.1MB

Download
memory/3756-17-0x0000000001030000-0x0000000001036000-memory.dmp

Filesize
24KB

Download
memory/3948-47-0x0000000002C10000-0x0000000002C26000-memory.dmp

Filesize
88KB

Download
memory/3948-56-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/3948-66-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/3948-143-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/4452-164-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4452-163-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4452-161-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/4452-162-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4452-160-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4452-166-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4452-167-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4452-233-0x00000000043C0000-0x00000000045EE000-memory.dmp

Filesize
2.2MB

Download
memory/4460-36-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-158-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-72-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/4460-67-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download
memory/4460-57-0x0000000000B80000-0x0000000001398000-memory.dmp

Filesize
8.1MB

Download
memory/4460-150-0x0000000000B80000-0x0000000001398000-memory.dmp

Filesize
8.1MB

Download
memory/4460-151-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-152-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-153-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-155-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-157-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-90-0x0000000007C10000-0x0000000007C1A000-memory.dmp

Filesize
40KB

Download
memory/4460-29-0x0000000000B80000-0x0000000001398000-memory.dmp

Filesize
8.1MB

Download
memory/4460-33-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-34-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-43-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-91-0x0000000008B60000-0x0000000009178000-memory.dmp

Filesize
6.1MB

Download
memory/4460-92-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

Filesize
1.0MB

Download
memory/4460-93-0x0000000007D00000-0x0000000007D12000-memory.dmp

Filesize
72KB

Download
memory/4460-94-0x0000000007D60000-0x0000000007D9C000-memory.dmp

Filesize
240KB

Download
memory/4460-45-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-46-0x0000000077794000-0x0000000077796000-memory.dmp

Filesize
8KB

Download
memory/4460-39-0x0000000076540000-0x0000000076630000-memory.dmp

Filesize
960KB

Download
memory/4460-95-0x0000000007DA0000-0x0000000007DEC000-memory.dmp

Filesize
304KB

Download