Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 03:02
Static task
static1
Behavioral task
behavioral1
Sample
45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Resource
win10v2004-20231215-en
General
-
Target
45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
-
Size
2.6MB
-
MD5
38439fdf4744c8a97c0dafce36e4f432
-
SHA1
e6f56833ecfb2b47f4e39a290bad959776fea2f1
-
SHA256
45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
-
SHA512
69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
-
SSDEEP
49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL
Malware Config
Extracted
raccoon
2637bf45ccfc8a2d57025feab0be0b31
http://194.116.173.154:80
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon Stealer V2 payload 3 IoCs
resource yara_rule behavioral2/memory/2256-19-0x0000000000400000-0x0000000000416000-memory.dmp family_raccoon_v2 behavioral2/memory/2256-23-0x0000000000400000-0x0000000000416000-memory.dmp family_raccoon_v2 behavioral2/memory/2256-24-0x0000000000400000-0x0000000000416000-memory.dmp family_raccoon_v2 -
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 3 IoCs
resource yara_rule behavioral2/memory/2256-19-0x0000000000400000-0x0000000000416000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/2256-23-0x0000000000400000-0x0000000000416000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/2256-24-0x0000000000400000-0x0000000000416000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables manipulated with Fody 1 IoCs
resource yara_rule behavioral2/memory/1916-0-0x0000000000850000-0x0000000000AF4000-memory.dmp INDICATOR_EXE_Packed_Fody -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1916 set thread context of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1916 wrote to memory of 5116 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 85 PID 1916 wrote to memory of 5116 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 85 PID 5116 wrote to memory of 3724 5116 csc.exe 89 PID 5116 wrote to memory of 3724 5116 csc.exe 89 PID 1916 wrote to memory of 4980 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 87 PID 1916 wrote to memory of 4980 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 87 PID 1916 wrote to memory of 4980 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 87 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88 PID 1916 wrote to memory of 2256 1916 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smk4amv5\smk4amv5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4892.tmp" "c:\Users\Admin\AppData\Local\Temp\smk4amv5\CSC2D3E5B56B234EB5B2A0C8AE7DC2D46.TMP"3⤵PID:3724
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:4980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2256
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD531401e3155bef18abef23f7b4ad7d293
SHA1e590c0b99029d4661500e0cf3ee586ab62a76365
SHA2569796434aa6b36ffcf501f92c7ae7a3f81e29592a7e1a87be67f1bb1934d34c0b
SHA5124f2b650ec6abbd02dc4cc8e9e3adecc983c6c3e55fa1a9a65db2099feb96133ce53f693a4f428ec895b38541aaa386e14f08fc53457b2fc15927ba49e0310811
-
Filesize
9KB
MD5d68aa96cf0d0bd8264b2ec1c26b4f36e
SHA17dd1ce476cbe7bed2301ea535946b069a1978c44
SHA2566f3f9994eff7af3e23f5479352bc192019e2454d0e2281001f8cfe2df444e9b3
SHA5127951f4e8c9e87a0ebc77af0ba93af8ba6f2a30d23c827659c282d46d564073f421af1c91d56f4162d7aa8519e9c588c5747b6fcc7055dd7942f6682bdf23a396
-
Filesize
652B
MD50d0cf2de410bf7067f4a59f8f2e61457
SHA11008699be7da90e2b2c37e06cad35ca1901ffe18
SHA2560b14adb0d3a39ff3fcf61a76c629ce38418dfd9ed01ee3d96fde720a056d0739
SHA512827abc9c74f8acc8849e0e9bdcfd283df0da41cda2b61de7860d10268a3c2dbbe31ddbb193a74ad279513023c1817b8994bca5dea74785cef988d4fd3c21ed8e
-
Filesize
10KB
MD542cdf76cfeebaa4420881fdb1f349522
SHA1ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d
SHA256463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970
SHA512ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c
-
Filesize
204B
MD5676c33563cffc082aadf499ce0d1b2ac
SHA111da3103980bf372c4c82ad3d945cf5ede73b4ce
SHA256f0ebb7d2e3d5a42046549119c6806ccf173dceffe7d20df9df1e00ec049d12b5
SHA512207b8c363f067b30d8ef1febb5ff2bb296bde394227a7067a21355e6f1f8d48913b630251593996a9d0dd65b28354dcc6e28114702b7bc9a881cf5d92f853d93