Analysis Overview
SHA256
45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
Threat Level: Known bad
The file 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe was found to be: Known bad.
Malicious Activity Summary
Detects executables manipulated with Fody
Raccoon Stealer V2 payload
Raccoon
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Detects executables manipulated with Fody
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-13 02:46
Signatures
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 02:46
Reported
2024-02-13 02:59
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyebcmpw\vyebcmpw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F72.tmp" "c:\Users\Admin\AppData\Local\Temp\vyebcmpw\CSC79CE2649968D496497CF7ADB55C032E6.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
Files
memory/2264-0-0x00000000012C0000-0x0000000001564000-memory.dmp
memory/2264-1-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
memory/2264-2-0x000000001B1C0000-0x000000001B240000-memory.dmp
memory/2264-3-0x0000000000A60000-0x0000000000ABE000-memory.dmp
memory/2264-4-0x0000000000B70000-0x0000000000BF4000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vyebcmpw\vyebcmpw.cmdline
| MD5 | 1176bc99d4c1da6a693145da4ba0b0f4 |
| SHA1 | 6a534908debfe32c261b1075d5b05953f74d4667 |
| SHA256 | 4a134c85dca3e3a7cbf0a18d2486ae9bc7544fd94b18e7a64224205edf246810 |
| SHA512 | b238acffbba242516d090593e4db2624492682b8aeedcf45e8c40265ee84a055a656dd383c5119ccb2113f4194bcbe2ad399244ed15d68879d073537f85076c6 |
\??\c:\Users\Admin\AppData\Local\Temp\vyebcmpw\vyebcmpw.0.cs
| MD5 | 42cdf76cfeebaa4420881fdb1f349522 |
| SHA1 | ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d |
| SHA256 | 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970 |
| SHA512 | ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c |
\??\c:\Users\Admin\AppData\Local\Temp\vyebcmpw\CSC79CE2649968D496497CF7ADB55C032E6.TMP
| MD5 | 6c181745a41c1f2e64ebe45b43a01ace |
| SHA1 | fa6d0ad58768d44afbeac288d61bddb18dadd16b |
| SHA256 | 062a001f6eb6361514222d1c32f991a87bea1cd494ce05800806f7f9f0af993b |
| SHA512 | 1347c71de42e5875f7e398da9b4ee501884f9d29dd0e44d1b4f521d5edcb64e5e0afba284d3f84b9ece54f85de5a9b53917f5d3a9cda4f72406fa1b4b1e5c768 |
C:\Users\Admin\AppData\Local\Temp\RES1F72.tmp
| MD5 | 6a3182b13380b2735270dbccb2e34cb0 |
| SHA1 | bc1d940ec2e1c2a7f444b5325891dd975c6e16cd |
| SHA256 | bfa733a7a52536b97509414ead4397f594e6d404082e26165532b820d645e8ea |
| SHA512 | 29ecfdbba34fea543062cbaa8e30d55f673471f578edf387032a42a2c0775bd916fddc280661a5c7f3ebd986f2307432520fd3521cf1c4084c2d24fac5883f8a |
C:\Users\Admin\AppData\Local\Temp\vyebcmpw\vyebcmpw.dll
| MD5 | 75bfc1ce913d8db30ea3dc364a11ca0a |
| SHA1 | 9fdbe911da50fb736495d2ceeb8c382c7b5324b8 |
| SHA256 | fef2311afb65d3b10719e8519559a01ee103ee1db676bc4a714ca2535f22be31 |
| SHA512 | ae974691f409c66ec8bb23da66a69ff6d6dee47cf3f3a72b7a701c5cd36cf93bebe95f13af3a0fdd874e58481384ac244268940f30b5386ec2ef8b71ba0c6524 |
memory/2264-17-0x00000000005A0000-0x00000000005A8000-memory.dmp
memory/2264-19-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 02:46
Reported
2024-02-13 02:59
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
166s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 812 set thread context of 432 | N/A | C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gclb5foi\gclb5foi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES584C.tmp" "c:\Users\Admin\AppData\Local\Temp\gclb5foi\CSCC1D1E8DB91474999816DB7AF4AFFB7.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 194.116.173.154:80 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
Files
memory/812-0-0x0000000000190000-0x0000000000434000-memory.dmp
memory/812-1-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp
memory/812-2-0x000000001B130000-0x000000001B140000-memory.dmp
memory/812-3-0x0000000002540000-0x000000000259E000-memory.dmp
memory/812-4-0x000000001B340000-0x000000001B3C4000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\gclb5foi\gclb5foi.cmdline
| MD5 | 57343cc31add7959cf14f97b35e873dc |
| SHA1 | 37589dfe87a3c0a287fb7726d2285447db059caf |
| SHA256 | 64aea587a330fffcf05aaac7d1213c5fe576de145b524a9425326c29cc1d1a1a |
| SHA512 | eb8470b24c0c090c1e6771ff697c3ce11aeecc479ae735ad3020b11217f7226b12065f16c4694b5d9eda61e264618cde77e303d0a3de990dfe26de82a8ce9469 |
\??\c:\Users\Admin\AppData\Local\Temp\gclb5foi\gclb5foi.0.cs
| MD5 | 42cdf76cfeebaa4420881fdb1f349522 |
| SHA1 | ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d |
| SHA256 | 463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970 |
| SHA512 | ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c |
\??\c:\Users\Admin\AppData\Local\Temp\gclb5foi\CSCC1D1E8DB91474999816DB7AF4AFFB7.TMP
| MD5 | 44e6f9ed7fd89878374af7f8f3d49e0e |
| SHA1 | 1f8956f3bafea3f57186c8a3b3feeef4394c1dac |
| SHA256 | e08c69f845737cfd7c4953b907d00919b9fd44775084ee27a8f8ef5dee6f31c1 |
| SHA512 | 38eee2f4c54c9ac3a179ac220469d70d5db49a062e093746133eed98b045d2a0fb178ebff487ae9c24d0c248a73652d84a7b4996f278aaacb66d384e1e55de80 |
C:\Users\Admin\AppData\Local\Temp\RES584C.tmp
| MD5 | 9e5cf9c059d2d10841bcb02aeee97110 |
| SHA1 | 2d4aab3928ffe10da106581244b1d8c4c9fd6cf4 |
| SHA256 | 849a69d80b77e2e449296492e768d98d0226d97710a41532edd1f480cc8033b0 |
| SHA512 | dd59c4ad65a586f1f63a710ecb692b3a1b8e0e5c7da8ed3df57f7444d7967db5e3f543d9972d2c39bd7b095edc17120edfa2a86355757a78dd2c7de1b57f3241 |
C:\Users\Admin\AppData\Local\Temp\gclb5foi\gclb5foi.dll
| MD5 | a8793e4049484c8ab0443c0c7de9ee46 |
| SHA1 | e09c93eec14377b17f2b6f4f734d786834d2e1a8 |
| SHA256 | 481dbc895acf14d46a11b6263b3f5c51ba04d710683c0db4bba15397368fe7d6 |
| SHA512 | 2ffe790e7b3f2780f507509eefb36edfb220f658b2627f90344e9358fc84ee78faedebe63a4e95f806b66972e1a86b0d4babfbc64e257e747ac3c362809e8d36 |
memory/812-17-0x0000000002620000-0x0000000002628000-memory.dmp
memory/432-19-0x0000000000400000-0x0000000000416000-memory.dmp
memory/812-21-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp
memory/432-23-0x0000000000400000-0x0000000000416000-memory.dmp
memory/432-24-0x0000000000400000-0x0000000000416000-memory.dmp