Analysis Overview
SHA256
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
Threat Level: Known bad
The file Wondershare Filmora 13 (UPDATED).exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Raccoon Stealer V2 payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 02:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 02:05
Reported
2024-03-06 02:08
Platform
win11-20240221-en
Max time kernel
104s
Max time network
109s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2452 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2452 set thread context of 396 | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe
"C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 20551
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 20551\Victoria.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Designation + Chorus + Place 20551\B
C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
20551\Victoria.pif 20551\B
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | EDLqDEKyDDmwTX.EDLqDEKyDDmwTX | udp |
| GB | 2.16.34.106:443 | tcp | |
| US | 20.42.73.24:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| RU | 82.146.45.177:80 | tcp | |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 2.20.37.224:443 | cxcs.microsoft.net | tcp |
| GB | 2.20.37.224:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Latter
| MD5 | 202cd0ed4d5a42ef36c223e2e041bae9 |
| SHA1 | 814d8e675a6c57811052f1f116e51605f11c5c7a |
| SHA256 | dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10 |
| SHA512 | e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60 |
C:\Users\Admin\AppData\Local\Temp\Prev
| MD5 | 8d019b45973901b4854eec33096d05c0 |
| SHA1 | 1dfb37a78659ba3917c6479ead9c9f645bbb8331 |
| SHA256 | d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3 |
| SHA512 | 9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1 |
C:\Users\Admin\AppData\Local\Temp\Eight
| MD5 | 521f2aed387524bdd7052bb4f23c0018 |
| SHA1 | 7c57b9c934705f1ba9418840afef2f0af8e69168 |
| SHA256 | d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a |
| SHA512 | 73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474 |
C:\Users\Admin\AppData\Local\Temp\Publishing
| MD5 | 5c3dd15e00b94c2d9b169d10e4f89144 |
| SHA1 | 32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620 |
| SHA256 | d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4 |
| SHA512 | 1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb |
C:\Users\Admin\AppData\Local\Temp\Planning
| MD5 | 9bb02422262416ba9e804e520ab576be |
| SHA1 | 3d6b62a8f9d8d846c8e05495819b5320ada507c6 |
| SHA256 | fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97 |
| SHA512 | febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9 |
C:\Users\Admin\AppData\Local\Temp\Designation
| MD5 | c1cc1aa18b9007c18d77d379897ca025 |
| SHA1 | 64c85a49243812f66e0dd819129cb99ee10ef763 |
| SHA256 | 5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc |
| SHA512 | 791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310 |
C:\Users\Admin\AppData\Local\Temp\Chorus
| MD5 | 6289f0044be469e5cc5d78425de1ecd2 |
| SHA1 | 1633cbe5c9c79ff74cef4ef8d44221d16dc7c674 |
| SHA256 | 68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434 |
| SHA512 | 256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70 |
C:\Users\Admin\AppData\Local\Temp\Objectives
| MD5 | 93fc6d378cf9f3e4bd856b24e758032b |
| SHA1 | 23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536 |
| SHA256 | 21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad |
| SHA512 | e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e |
C:\Users\Admin\AppData\Local\Temp\Place
| MD5 | 9ea9a13f6966bda0647d6f83f6d257fb |
| SHA1 | 36d5c6d95368508c5878bf08e2a2bc753aaf7aec |
| SHA256 | 5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3 |
| SHA512 | 4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a |
C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\20551\B
| MD5 | 2ea6936964f3396a440d6fcd1d0e6a40 |
| SHA1 | c1b605042274a26061f9b3acf6e3e3c84d0dd27d |
| SHA256 | ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27 |
| SHA512 | 8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5 |
memory/2452-23-0x0000000077751000-0x0000000077873000-memory.dmp
memory/2452-24-0x0000000004420000-0x0000000004421000-memory.dmp
memory/396-26-0x0000000000400000-0x0000000000416000-memory.dmp
memory/396-27-0x0000000000400000-0x0000000000416000-memory.dmp
memory/396-29-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-06 02:05
Reported
2024-03-06 02:08
Platform
win11-20240221-en
Max time kernel
30s
Max time network
142s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$TEMP\Designation.ps1
Network
Files
memory/2336-0-0x0000021F7C980000-0x0000021F7C9A2000-memory.dmp
memory/2336-9-0x00007FF938950000-0x00007FF939412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqnqzltt.nhe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2336-10-0x0000021F7CA30000-0x0000021F7CA40000-memory.dmp
memory/2336-11-0x0000021F7CA30000-0x0000021F7CA40000-memory.dmp
memory/2336-14-0x00007FF938950000-0x00007FF939412000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-06 02:05
Reported
2024-03-06 02:06
Platform
win11-20240221-en
Max time kernel
0s