Analysis Overview
SHA256
610ed69b07ed35cbb53f71f2d2ffec3dc14b4996f948757f35bd9c246fcf6e44
Threat Level: Known bad
The file ESET Endpoint Antivirus - ESET Endpoint Security.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Raccoon Stealer V2 payload
Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-10 04:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-10 04:32
Reported
2024-02-10 04:35
Platform
win7-20231215-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\兑䝗砵㝇儳䝇癣兮c | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2232 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe | C:\Users\Admin\AppData\Local\Temp\兑䝗砵㝇儳䝇癣兮c |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\msconfig.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe
"C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe"
C:\Users\Admin\AppData\Local\Temp\兑䝗砵㝇儳䝇癣兮c
"C:\Users\Admin\AppData\Local\Temp\兑䝗砵㝇儳䝇癣兮c"
C:\Windows\system32\msconfig.exe
"C:\Windows\system32\msconfig.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| NL | 195.20.16.155:80 | tcp | |
| NL | 195.20.16.155:80 | tcp |
Files
memory/2360-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2360-7-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2360-5-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2360-8-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\兑䝗砵㝇儳䝇癣兮c
| MD5 | 3992f464696b0eeff236aef93b1fdbd5 |
| SHA1 | 8dddabaea6b342efc4f5b244420a0af055ae691e |
| SHA256 | 0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14 |
| SHA512 | 27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6 |
memory/2360-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2360-10-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2360-13-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2360-14-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2232-15-0x000000013F740000-0x000000013F9AC000-memory.dmp
memory/2360-16-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1940-17-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/2808-18-0x00000000026E0000-0x00000000026E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-10 04:32
Reported
2024-02-10 04:35
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\㕶渳㝣硑㡆穄v | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3924 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe | C:\Users\Admin\AppData\Local\Temp\㕶渳㝣硑㡆穄v |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe
"C:\Users\Admin\AppData\Local\Temp\ESET Endpoint Antivirus - ESET Endpoint Security.exe"
C:\Users\Admin\AppData\Local\Temp\㕶渳㝣硑㡆穄v
"C:\Users\Admin\AppData\Local\Temp\㕶渳㝣硑㡆穄v"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 195.20.16.155:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/4664-2-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\㕶渳㝣硑㡆穄v
| MD5 | 3992f464696b0eeff236aef93b1fdbd5 |
| SHA1 | 8dddabaea6b342efc4f5b244420a0af055ae691e |
| SHA256 | 0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14 |
| SHA512 | 27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6 |
memory/4664-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3924-7-0x00007FF781130000-0x00007FF78139C000-memory.dmp
memory/4664-8-0x0000000000400000-0x0000000000416000-memory.dmp