Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 10:30
Static task
static1
Behavioral task
behavioral1
Sample
50516ba042ed1aaae22e56c6507c2bfb.exe
Resource
win7-20231215-en
General
-
Target
50516ba042ed1aaae22e56c6507c2bfb.exe
-
Size
2.7MB
-
MD5
50516ba042ed1aaae22e56c6507c2bfb
-
SHA1
a462d0473733f518807bd380d9468eb94321abb6
-
SHA256
85ab17e1b22b87b9aa6058da5a239f41efb41f6e12f25c380508c636053e4975
-
SHA512
8a5ccc941e3cc4793651e0ba1e2775cc9f6782235eee32854b7be961dbc44c3d9e260e5c17c9c0224a2a2e441dc6a26014b3fe8cc21716d7e4d17be476eb9ce8
-
SSDEEP
49152:pr9V00000000000000000000000000l1zILnkoyQ:pBV00000000000000000000000000Un7
Malware Config
Extracted
raccoon
b57b0b81a0c25a76ce0260ff30d839aed6f62158
-
url4cnc
https://telete.in/hubabuccpower
Signatures
-
Raccoon Stealer V1 payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1080-11-0x00000000020D0000-0x0000000002162000-memory.dmp family_raccoon_v1 -
Processes:
50516ba042ed1aaae22e56c6507c2bfb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 50516ba042ed1aaae22e56c6507c2bfb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 50516ba042ed1aaae22e56c6507c2bfb.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
50516ba042ed1aaae22e56c6507c2bfb.exepid process 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe 1080 50516ba042ed1aaae22e56c6507c2bfb.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
50516ba042ed1aaae22e56c6507c2bfb.exedescription pid process target process PID 1080 wrote to memory of 1240 1080 50516ba042ed1aaae22e56c6507c2bfb.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\50516ba042ed1aaae22e56c6507c2bfb.exe"C:\Users\Admin\AppData\Local\Temp\50516ba042ed1aaae22e56c6507c2bfb.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-0-0x0000000000400000-0x00000000006B4000-memory.dmpFilesize
2.7MB
-
memory/1080-1-0x0000000001DE0000-0x0000000001E5B000-memory.dmpFilesize
492KB
-
memory/1080-2-0x000000007765F000-0x0000000077660000-memory.dmpFilesize
4KB
-
memory/1080-3-0x0000000000400000-0x00000000006B4000-memory.dmpFilesize
2.7MB
-
memory/1080-4-0x0000000001DE0000-0x0000000001E5B000-memory.dmpFilesize
492KB
-
memory/1080-5-0x0000000001E60000-0x0000000001FE0000-memory.dmpFilesize
1.5MB
-
memory/1080-10-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1080-8-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1080-11-0x00000000020D0000-0x0000000002162000-memory.dmpFilesize
584KB
-
memory/1080-9-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1240-7-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/1240-6-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB