Resubmissions
24/02/2024, 23:32
240224-3jlc5agg36 1019/02/2024, 20:03
240219-ys4tlscg37 1019/02/2024, 20:01
240219-yrrsnacb2z 10Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
19/02/2024, 20:03
General
-
Target
Driver Booster 11 PRO.rar
-
Size
658KB
-
MD5
6d3ca847c423d6819dd364bd333572b6
-
SHA1
bfc6115fe0c41245f247d038737730fcd23c706d
-
SHA256
5961d0a8ebdc116b674d3231b5c8b01b35d3c7a191b0bb8ab5bb7b14352cc065
-
SHA512
eafe0185411812ea8ac561b2bf34a4f2551979252e1b42b1d045e523318c0de964c12c48aef7e8d91d667e836f3d3f2b7a3a62477a57440df25486cf9d92f102
-
SSDEEP
12288:vtSkbZjfeGDXtsLrWe6S4OqhECnTjRDMzNK0IFJWZZYbWhTkUuo:vzbgGDds+e74R7BAzPoUZqbW9kU7
Malware Config
Extracted
raccoon
ccf92b7fb8bdc5b3c5b2cea72a452ab2
http://46.151.31.26:80/
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 14 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 14 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Driver Booster 11 PRO.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Driver Booster 11 PRO.rar"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCD9F0C47\Instructions.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 101224⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10122\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10122\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10122\Rosa.pif10122\Rosa.pif 10122\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 101384⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10138\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10138\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\10138\Rosa.pif10138\Rosa.pif 10138\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 101484⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10148\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10148\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\10148\Rosa.pif10148\Rosa.pif 10148\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 101684⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10168\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10168\e4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\10168\Rosa.pif10168\Rosa.pif 10168\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10122\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10122\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\10138\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\10138\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 102004⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10200\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10200\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\10200\Rosa.pif10200\Rosa.pif 10200\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\10148\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\10148\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\10168\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\10168\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\10200\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\10200\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 103024⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10302\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10302\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\10302\Rosa.pif10302\Rosa.pif 10302\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"C:\Users\Admin\Desktop\Driver Booster 11 PRO License.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 103054⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 10305\Rosa.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Processing 10305\e4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.006\10305\Rosa.pif10305\Rosa.pif 10305\e4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\10302\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\10302\Rosa.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.006\10305\Rosa.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.006\10305\Rosa.pif2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178KB
MD5d8f9dd4003de34471d0797f274ebe7bc
SHA1393aceab75a29520961e52cd0756e8971f02f72a
SHA256db576bf9cae0e2ec38f1efbcaad5e7941b3456bc7b9ab5d3570d281937ef007c
SHA512bc34e3ee19055353eab85ef420a8ccbba81bc8ade7f745c7e7ca6fab6ebded5ffbce01bd2fec78bc8db661e89c62f021ff375d547670eb08050ac49e07ea657e
-
Filesize
10KB
MD58c4c658f59e7e8626cf7f8a382cbe005
SHA17ca0681bab8878b032d2f084275a487fea690bcc
SHA256462506a044d309cde8677030483e35b4ad323f7f93b4f82c667aa0426017bb1a
SHA512d2077ef00c1f8753d7cd27b56aa2bcd266b046c3fe25eca58265ff0cc0e990234889eafb38cf55c16c98105cbaa785f66c4575b977958a26a0a1919069413f27
-
Filesize
115KB
MD57dea798d8550a7eb8c0dac613d328119
SHA13c2a6577e063b7371c52108393c8637f338c70cc
SHA2567c418482ec85689387802871cc2bc4a031b68328a60b90122d4e3d84cea306cf
SHA5127750be47bcdd5225dd73eb7e06c500d50b43fe961424cc6f4c09f78648848e10175b137d032d73fecd7b9cc5e6469889d98ab39735c183c3b05447e7237ca7f3
-
Filesize
118KB
MD5f2a6a75f93068cb427350af64f2b98a7
SHA1e11e41958a8a3b68ff6a8a4bd126b9aff9849d0c
SHA25628f253d9592bc6badf74dd1dbadda2d65a47e812cb2d75435b25f650cf06a9e5
SHA512584bdb2eb53eaf86b85eff99c5f8253783421964e9ccc1d9226394b2135d75ef13d8d35369ebf569d5955fab5ba6acb98e6bf68a82a7b51a287470ac3816eefd
-
Filesize
293KB
MD5b38a37e518db3dd0646287e647da2791
SHA180ec5fed671f51a07cc6f30a411bf91056e0e4e3
SHA256f938df0350470599eda1c3359637627f8cc261038eb6d7438b883ce4c0722580
SHA5125aaacfe5a3a033b9b07601b1ec1be3079d3244a2a42238cd498ff32f165bcb128a2442a84954fa92dfa3ef7bb32fd4f1013e51ff13deb222d97759c09af332db
-
Filesize
220KB
MD596b80b99cf941e0851f2d4c6c739563f
SHA17cb29861f9e3c81241558eb558f7b6766b9601c2
SHA256348fcc34733289fb855961990e9c8a7fd0d0b6841fa915b11fea3f354666cbde
SHA5127d64d6ddfb54beb647f56dc4bcd8f71b8477046c325e5bb35d88149c55a998f69822a6572945e12a4416ea2985d73da7235cc754beddb007c36fbc96a977c35b
-
Filesize
401KB
MD5f8a1fc75b3bb6e1cac4cfaa82e25b698
SHA1ebd7573bdcbfc9ac51742d198cc3287689417cb2
SHA25607760b8ddfaa45d173d7565e35147019b204cfa4d9009d90755f33062c8b4741
SHA512cae5ea4f51058cb6bbb4aa70e50eec87be028a607f824ac80ee13b94dbc67489dad831900c4b45f45b79891aa9ab7b78e92748385547ebe7ac44c92f07c1013b
-
Filesize
770KB
MD527cf0c7d37e5ffbab9b1a163544f3321
SHA13ed7493f213a01f7c99a4d11f56cfa7f79f90d0a
SHA2564f6eba5f100a37005509d15782ca2991de72d027be766ba779f20e956555c29b
SHA512f9ac54ee39c7192406a51a6e506b420387b2314facc31656b1acd3a69fdcb3060553b42122c5a6f5092083d71c20d4304b1ed067e9b1e481951c1a4798e0fa2d
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
856KB
-
Filesize
4KB