raccoon | 3ff3a06b10b6158ac51d74487dd5c108dc113b3e7a2bb598e37c2d02e37f4631

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

269KB
MD5

9cad5b4d70563e0502bd9448fda8d17c
SHA1

f081a4b20fe8899994867490ae1329c6d90de47d
SHA256

3ff3a06b10b6158ac51d74487dd5c108dc113b3e7a2bb598e37c2d02e37f4631
SHA512

112b75f557b7ad76405eec278fbbeb8efaea3ad1b58f3954a63d1f72121db29e0d7a760d4f2627f6293bd20acfa51163d3ce9549132cf19ad963602032c46dff
SSDEEP

3072:KHl3/MPPIYsGkrWxEuTABIsO9UL0RzPlQmUucvTtcSZk2d:g30YayWxpTQ+UL05vUbp

Score

10^/10

raccoon smokeloader backdoor collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1740-20-0x0000000002D30000-0x0000000002E30000-memory.dmp	family_raccoon_v2
behavioral2/memory/1740-21-0x0000000004710000-0x0000000004726000-memory.dmp	family_raccoon_v2
behavioral2/memory/1740-23-0x0000000000400000-0x0000000002ABF000-memory.dmp	family_raccoon_v2
behavioral2/memory/1740-96-0x0000000000400000-0x0000000002ABF000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Imported.pif

description pid process target process

PID 2940 created 3432 2940 Imported.pif Explorer.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DE18.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DE18.exe

description	pid	process	target process
PID 2940 created 3432	2940	Imported.pif	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DE18.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DE18.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DE18.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DE18.exe

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE
Executes dropped EXE 5 IoCs

Processes:

D339.exeDE18.exeE30B.exeE9B3.exeImported.pif

pid process

1740 D339.exe
3728 DE18.exe
3392 E30B.exe
3504 E9B3.exe
2940 Imported.pif
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

976 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3432	Explorer.EXE

pid	process
1740	D339.exe
3728	DE18.exe
3392	E30B.exe
3504	E9B3.exe
2940	Imported.pif

pid	process
976	regsvr32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DE18.exe	themida
C:\Users\Admin\AppData\Local\Temp\DE18.exe	themida
behavioral2/memory/3728-63-0x0000000000AF0000-0x0000000001472000-memory.dmp	themida
behavioral2/memory/3728-137-0x0000000000AF0000-0x0000000001472000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DE18.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DE18.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DE18.exe

pid process

3728 DE18.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

E9B3.exe

description pid process target process

PID 3504 set thread context of 2772 3504 E9B3.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4308 1740 WerFault.exe D339.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DE18.exe

pid	process
3728	DE18.exe

description	pid	process	target process
PID 3504 set thread context of 2772	3504	E9B3.exe	AppLaunch.exe

pid	pid_target	process	target process
4308	1740	WerFault.exe	D339.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4316 tasklist.exe
2004 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4440 PING.EXE

pid	process
4316	tasklist.exe
2004	tasklist.exe

pid	process
4440	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exeExplorer.EXE

pid	process
2932	file.exe
2932	file.exe
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

file.exeExplorer.EXE

pid process

2932 file.exe
3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE

pid	process
3432	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Explorer.EXEAppLaunch.exeDE18.exetasklist.exetasklist.exe

description	pid	process
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeDebugPrivilege	2772	AppLaunch.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeDebugPrivilege	3728	DE18.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	4316	tasklist.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Imported.pifExplorer.EXE

pid process

2940 Imported.pif
3432 Explorer.EXE
3432 Explorer.EXE
2940 Imported.pif
2940 Imported.pif
3432 Explorer.EXE
3432 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Imported.pif

pid process

2940 Imported.pif
2940 Imported.pif
2940 Imported.pif
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE

pid	process
2940	Imported.pif
3432	Explorer.EXE
3432	Explorer.EXE
2940	Imported.pif
2940	Imported.pif
3432	Explorer.EXE
3432	Explorer.EXE

pid	process
2940	Imported.pif
2940	Imported.pif
2940	Imported.pif

pid	process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXEregsvr32.exeE9B3.exeE30B.execmd.execmd.exe

description	pid	process	target process
PID 3432 wrote to memory of 1740	3432	Explorer.EXE	D339.exe
PID 3432 wrote to memory of 1740	3432	Explorer.EXE	D339.exe
PID 3432 wrote to memory of 1740	3432	Explorer.EXE	D339.exe
PID 3432 wrote to memory of 4448	3432	Explorer.EXE	regsvr32.exe
PID 3432 wrote to memory of 4448	3432	Explorer.EXE	regsvr32.exe
PID 4448 wrote to memory of 976	4448	regsvr32.exe	regsvr32.exe
PID 4448 wrote to memory of 976	4448	regsvr32.exe	regsvr32.exe
PID 4448 wrote to memory of 976	4448	regsvr32.exe	regsvr32.exe
PID 3432 wrote to memory of 3728	3432	Explorer.EXE	DE18.exe
PID 3432 wrote to memory of 3728	3432	Explorer.EXE	DE18.exe
PID 3432 wrote to memory of 3728	3432	Explorer.EXE	DE18.exe
PID 3432 wrote to memory of 3392	3432	Explorer.EXE	E30B.exe
PID 3432 wrote to memory of 3392	3432	Explorer.EXE	E30B.exe
PID 3432 wrote to memory of 3392	3432	Explorer.EXE	E30B.exe
PID 3432 wrote to memory of 3504	3432	Explorer.EXE	E9B3.exe
PID 3432 wrote to memory of 3504	3432	Explorer.EXE	E9B3.exe
PID 3432 wrote to memory of 3504	3432	Explorer.EXE	E9B3.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3504 wrote to memory of 2772	3504	E9B3.exe	AppLaunch.exe
PID 3432 wrote to memory of 2804	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 2804	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 2804	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 2804	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 664	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 664	3432	Explorer.EXE	explorer.exe
PID 3432 wrote to memory of 664	3432	Explorer.EXE	explorer.exe
PID 3392 wrote to memory of 4384	3392	E30B.exe	cmd.exe
PID 3392 wrote to memory of 4384	3392	E30B.exe	cmd.exe
PID 3392 wrote to memory of 4384	3392	E30B.exe	cmd.exe
PID 4384 wrote to memory of 2928	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 2928	4384	cmd.exe	cmd.exe
PID 4384 wrote to memory of 2928	4384	cmd.exe	cmd.exe
PID 2928 wrote to memory of 2004	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 2004	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 2004	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 1240	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 1240	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 1240	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 4316	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 4316	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 4316	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 4704	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 4704	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 4704	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 3480	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 3480	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 3480	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4812	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4812	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4812	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4392	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4392	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4392	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 2940	2928	cmd.exe	Imported.pif
PID 2928 wrote to memory of 2940	2928	cmd.exe	Imported.pif
PID 2928 wrote to memory of 2940	2928	cmd.exe	Imported.pif
PID 2928 wrote to memory of 4440	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 4440	2928	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2932

C:\Users\Admin\AppData\Local\Temp\D339.exe
C:\Users\Admin\AppData\Local\Temp\D339.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 7300
3⤵
- Program crash
PID:4308

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D6C4.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D6C4.dll
3⤵
- Loads dropped DLL
PID:976

C:\Users\Admin\AppData\Local\Temp\DE18.exe
C:\Users\Admin\AppData\Local\Temp\DE18.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Users\Admin\AppData\Local\Temp\E30B.exe
C:\Users\Admin\AppData\Local\Temp\E30B.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Properly & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:1240

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
5⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 29169
5⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Mandatory + Aging + Fathers + Granny + Plymouth 29169\Imported.pif
5⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Rod + Animation 29169\t
5⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\65308\29169\Imported.pif
29169\Imported.pif 29169\t
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:4440

C:\Users\Admin\AppData\Local\Temp\E9B3.exe
C:\Users\Admin\AppData\Local\Temp\E9B3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\65308\29169\jsc.exe
C:\Users\Admin\AppData\Local\Temp\65308\29169\jsc.exe
2⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1740 -ip 1740
1⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65308\29169\Imported.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\29169\Imported.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\29169\t
Filesize
633KB

MD5
fe3cdb342fa79c9e1cb79f4544a8a975

SHA1
0c37d9c0b63af3bd99f7e1612024a469d757ae1d

SHA256
fad17a4f9fc911f208337c2fb9b38dff422373297ce9fab60faae36771307803

SHA512
b50cf641b621eaac56a6805c59298b9857bc149b2d51202aefb53247d2410ca723320db624e4b6b24638809e3f87dfa332ae7dde00c624b12784a825490b9697

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Aging
Filesize
265KB

MD5
c724d5bd5c18d2bbe5fe2c7946c1b6b2

SHA1
7beed9c36d52db96557049da7fb3fd9765ab06da

SHA256
86b3e35e182ef64c4119084416a1009c365629360d954a4a9a53ec6d737a2d8f

SHA512
8841cb5ff4425ecaa89f691510276e42cb68450514439766d1e82769f0a498295961681e02bd2c0251b082e50eee599a516b19f7dde345a30f81f743f94e48a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Animation
Filesize
156KB

MD5
5dbdebec65c149f9303357aeb35f3f13

SHA1
971b53aad088edbbd9185c5390b82e41324e964b

SHA256
50e9ea749c805b70e45e35d0ec59f5380e5ff8f0b677d099e19b3d6b782163c6

SHA512
df410166f1eff8f08453dc110227e947f3c94de59da6a4c5953ff27d8d133df3acad89640f948d4133f4e367809a754f43586bf397acd01133cb291111b7f065

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Fathers
Filesize
134KB

MD5
19840b560c884e4575f325fbf6dde028

SHA1
58a5840b9163d586ea83535d02197a30fe04f3d0

SHA256
698f94e57b0edc595e35cd9ea0a6ded21fd383c559e349b2d4b6bae01a0a445f

SHA512
1a3921f8a9a3fd2d0394b811dbfa0fffdc72be5047fe17533cdeae3d2ec6cbdf5a0951a0744f0c1a372de809f3af502ff940fc679f3ff40d0eb55cb78b9d460e

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Granny
Filesize
290KB

MD5
4ee0ce02c9a6966cf83884c8b614077f

SHA1
2052c40fbc6ae0bd2fc085161e42e500556c27dd

SHA256
ec33283a90016ceae05ad793143d10679d430c2aa3fc2d1026f6c6acc5b028fb

SHA512
8dbee460fb43696834f62352852f58fdb6e4f160dcdfb1d4a7d81b2fe8cfb730e797af4c97095abbbce19f5569afac6da3eeadb6465ff5c216b6a4e79964a4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Mandatory
Filesize
161KB

MD5
f95a9af4657f69267464287ead8d12d2

SHA1
6171891ae7a8206b76ef4d9cf88f274987f21485

SHA256
96aa51fdf657cdc4e28744f2383ad53d45085d7f312264c9d786c751bc778307

SHA512
0ee28b7b6a767958058c775a1df42e81a97151b37511686902b29f54d0bc5769d10978c297a90f166018cd34fbc5d85f8f146576a19d78ddc5ed37083de1f6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Plymouth
Filesize
74KB

MD5
265a4f252616accea4a910e76e612f0b

SHA1
7002ca5e385a2bfa58200c08fd2821acf0072122

SHA256
22424b9c63b2b5d882cc25335dbfb2f1872c1186f43fe1caf16d87b808f6e3e9

SHA512
f77dfe13c67ba3235bc1dc88041a7266430bedd6f35d3f2ba0c46314346de61305256b144eb9c49842edb4d21741e31161fbe025a92cb85b7aeface781cdd5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Properly
Filesize
12KB

MD5
fdf171249c22f3f45c53408bfa0d2f2b

SHA1
95e96312015058c60c83a8e38733371311722593

SHA256
b0d4a9769a644c418419050c5b2b7f796f06a7d4c48010e8498e2596c7a935bd

SHA512
52d21473972162cd29e403d1e3eee209ac5e4c2051a7e07455ec96971a94f5ac045ba3c539066bf5abd2fe3995334a4683f58f0f11dc5c28488ae1dbce91968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\65308\Rod
Filesize
477KB

MD5
4ea38f8c80b7060a80c79ab03d5d1c7c

SHA1
cfddc34a9e809c7c3f9fc0e457522bfb0457ab67

SHA256
b4ea21811ef45cd914cefd4fa272715c295e7673bfdd3976ef4c1b7c2f00a85a

SHA512
0e2e22e503b9938fe356aaef78197621f98ece3c705a2451b6b87ccd50cff92a67d809f81673b66e58ea8c5f82ffb28e955a8eac2782a00430a134fe522cc06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D339.exe
Filesize
291KB

MD5
1de5eb2944545479b07139c4b4227cb4

SHA1
6baf1786af938b22a92b5f515f9d4ee131e6495a

SHA256
876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1

SHA512
75322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D339.exe
Filesize
291KB

MD5
1de5eb2944545479b07139c4b4227cb4

SHA1
6baf1786af938b22a92b5f515f9d4ee131e6495a

SHA256
876ba20dfdae7014531937bf45a1a94757b01e72ae4e6ce5bee66665f1763dd1

SHA512
75322c0a9f12a74a69fc342c24ab3fe622dff26545f679b4baa9ffca6e1962e13d7455146bf332db24162aac595d31f5d9f28a4c8dc5685bd94e8ce87aec023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6C4.dll
Filesize
2.6MB

MD5
c73569915305ac15c46f6b0565bc39b0

SHA1
744e80ad9f09ee6a2e32fd1700f93ac45a270d53

SHA256
e08c706b8e7c518be2606ff7f3274918330b03ed2cd0bf2120a6676fb85dec8b

SHA512
a4c85815b872475858913c3dbad6a3820ceb93a317b0749c034948b80ddd4fb3c3a4b9da9740f578a662b8a9f7b8fe2841ef5ddf7152840182d6a0b76f6eca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6C4.dll
Filesize
2.6MB

MD5
c73569915305ac15c46f6b0565bc39b0

SHA1
744e80ad9f09ee6a2e32fd1700f93ac45a270d53

SHA256
e08c706b8e7c518be2606ff7f3274918330b03ed2cd0bf2120a6676fb85dec8b

SHA512
a4c85815b872475858913c3dbad6a3820ceb93a317b0749c034948b80ddd4fb3c3a4b9da9740f578a662b8a9f7b8fe2841ef5ddf7152840182d6a0b76f6eca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE18.exe
Filesize
4.1MB

MD5
41960f214e4314caa2f5157b11b00a18

SHA1
c405bffc785505bab364208c24e29eefe80f1e32

SHA256
69f5aca8d40511fbf3523b1e8e2cee4ff64b65ab94a7e734e9810ef0f617a327

SHA512
7cfcb85c84e493fc2362d96495da0b40f01d7884ba5cc0346714d487cb249379b2dec689f9958177aae49e71f6dafbfb9b7b9c046decb1b4356937052f8e9140

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE18.exe
Filesize
4.1MB

MD5
41960f214e4314caa2f5157b11b00a18

SHA1
c405bffc785505bab364208c24e29eefe80f1e32

SHA256
69f5aca8d40511fbf3523b1e8e2cee4ff64b65ab94a7e734e9810ef0f617a327

SHA512
7cfcb85c84e493fc2362d96495da0b40f01d7884ba5cc0346714d487cb249379b2dec689f9958177aae49e71f6dafbfb9b7b9c046decb1b4356937052f8e9140

Download Submit
C:\Users\Admin\AppData\Local\Temp\E30B.exe
Filesize
1.3MB

MD5
bf1229435270f85c47a561c29ee5e1e0

SHA1
129857639c5cb4feffb0a674be2baf81f1c90bd3

SHA256
08ac62d87943f67a0ec0a16d1f9c3f7dc9cef7479afed610847fbb926c9cd1af

SHA512
941cb25b836e769dfe68f42df7ba4ee8b9e4e2fac2bd985b3a8b2d1da53c04f46f2380d8977f3a22650b2be37b962f4a7f54552699ebdfdf93adfce2643d966d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E30B.exe
Filesize
1.3MB

MD5
bf1229435270f85c47a561c29ee5e1e0

SHA1
129857639c5cb4feffb0a674be2baf81f1c90bd3

SHA256
08ac62d87943f67a0ec0a16d1f9c3f7dc9cef7479afed610847fbb926c9cd1af

SHA512
941cb25b836e769dfe68f42df7ba4ee8b9e4e2fac2bd985b3a8b2d1da53c04f46f2380d8977f3a22650b2be37b962f4a7f54552699ebdfdf93adfce2643d966d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B3.exe
Filesize
1.8MB

MD5
6d3e2ee8f723889b7c3cc7dd7f7b7326

SHA1
c739c825908d47921033fbe65db217a7550de798

SHA256
e5fef0ed227cef479a29f10d15f0740a4d47747893c69e0b1514e7069da844de

SHA512
9530762217ab46bd08d2d8e0004c673a1583949ecfc63407baf7c1dd8c4dad2f8d598f7bcebc9706ba4d14d96169cec88930cc0efddbebcfbb1313ea449536d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B3.exe
Filesize
1.8MB

MD5
6d3e2ee8f723889b7c3cc7dd7f7b7326

SHA1
c739c825908d47921033fbe65db217a7550de798

SHA256
e5fef0ed227cef479a29f10d15f0740a4d47747893c69e0b1514e7069da844de

SHA512
9530762217ab46bd08d2d8e0004c673a1583949ecfc63407baf7c1dd8c4dad2f8d598f7bcebc9706ba4d14d96169cec88930cc0efddbebcfbb1313ea449536d2

Download Submit
memory/664-66-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/664-69-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/976-34-0x00000000025B0000-0x00000000026D4000-memory.dmp

Filesize
1.1MB

Download
memory/976-61-0x00000000026E0000-0x00000000027E8000-memory.dmp

Filesize
1.0MB

Download
memory/976-26-0x0000000010000000-0x000000001028E000-memory.dmp

Filesize
2.6MB

Download
memory/976-51-0x00000000026E0000-0x00000000027E8000-memory.dmp

Filesize
1.0MB

Download
memory/976-52-0x00000000026E0000-0x00000000027E8000-memory.dmp

Filesize
1.0MB

Download
memory/976-54-0x00000000026E0000-0x00000000027E8000-memory.dmp

Filesize
1.0MB

Download
memory/976-29-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/1740-96-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/1740-71-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/1740-20-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/1740-21-0x0000000004710000-0x0000000004726000-memory.dmp

Filesize
88KB

Download
memory/1740-23-0x0000000000400000-0x0000000002ABF000-memory.dmp

Filesize
38.7MB

Download
memory/2772-97-0x0000000004F50000-0x0000000005568000-memory.dmp

Filesize
6.1MB

Download
memory/2772-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-107-0x00000000058F0000-0x0000000005966000-memory.dmp

Filesize
472KB

Download
memory/2772-106-0x0000000004C70000-0x0000000004CD6000-memory.dmp

Filesize
408KB

Download
memory/2772-64-0x0000000072DF0000-0x00000000735A0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-109-0x00000000062D0000-0x0000000006320000-memory.dmp

Filesize
320KB

Download
memory/2772-124-0x0000000072DF0000-0x00000000735A0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-117-0x00000000078C0000-0x0000000007DEC000-memory.dmp

Filesize
5.2MB

Download
memory/2772-103-0x00000000049B0000-0x00000000049FC000-memory.dmp

Filesize
304KB

Download
memory/2772-102-0x0000000004970000-0x00000000049AC000-memory.dmp

Filesize
240KB

Download
memory/2772-101-0x0000000004A40000-0x0000000004B4A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-116-0x00000000071C0000-0x0000000007382000-memory.dmp

Filesize
1.8MB

Download
memory/2772-100-0x00000000048E0000-0x00000000048F2000-memory.dmp

Filesize
72KB

Download
memory/2772-108-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/2772-95-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/2804-67-0x0000000001290000-0x0000000001310000-memory.dmp

Filesize
512KB

Download
memory/2804-93-0x0000000001220000-0x000000000128B000-memory.dmp

Filesize
428KB

Download
memory/2804-70-0x0000000001220000-0x000000000128B000-memory.dmp

Filesize
428KB

Download
memory/2804-65-0x0000000001220000-0x000000000128B000-memory.dmp

Filesize
428KB

Download
memory/2932-2-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/2932-3-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/2932-5-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/2932-8-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/2932-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

Filesize
1024KB

Download
memory/2940-163-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3392-60-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3392-105-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-144-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-141-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-138-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-161-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-160-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-119-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-133-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3392-129-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3432-4-0x0000000002CF0000-0x0000000002D06000-memory.dmp

Filesize
88KB

Download
memory/3728-42-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-122-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-126-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-125-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-121-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-120-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-136-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-137-0x0000000000AF0000-0x0000000001472000-memory.dmp

Filesize
9.5MB

Download
memory/3728-114-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-113-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-112-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-111-0x0000000000AF0000-0x0000000001472000-memory.dmp

Filesize
9.5MB

Download
memory/3728-99-0x0000000008260000-0x000000000826A000-memory.dmp

Filesize
40KB

Download
memory/3728-94-0x00000000082B0000-0x0000000008342000-memory.dmp

Filesize
584KB

Download
memory/3728-68-0x00000000087C0000-0x0000000008D64000-memory.dmp

Filesize
5.6MB

Download
memory/3728-63-0x0000000000AF0000-0x0000000001472000-memory.dmp

Filesize
9.5MB

Download
memory/3728-46-0x0000000077184000-0x0000000077186000-memory.dmp

Filesize
8KB

Download
memory/3728-40-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-45-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-44-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-43-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-38-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-36-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-35-0x0000000074FD0000-0x00000000750C0000-memory.dmp

Filesize
960KB

Download
memory/3728-33-0x0000000000AF0000-0x0000000001472000-memory.dmp

Filesize
9.5MB

Download