Malware Analysis Report

2025-01-18 12:18

Sample ID 240306-ch46qsga8w
Target Wondershare Filmora 13 (UPDATED).exe
SHA256 ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
Tags
raccoon 4076618ff41b7d8c15ac86f265ebc66d stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182

Threat Level: Known bad

The file Wondershare Filmora 13 (UPDATED).exe was found to be: Known bad.

Malicious Activity Summary

raccoon 4076618ff41b7d8c15ac86f265ebc66d stealer

Raccoon

Raccoon Stealer V2 payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 02:05

Reported

2024-03-06 02:08

Platform

win11-20240221-en

Max time kernel

104s

Max time network

109s

Command Line

C:\Windows\Explorer.EXE

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2452 created 3356 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2452 set thread context of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 584 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1208 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 1208 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 1208 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 1208 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1208 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1208 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2452 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 2452 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 2452 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 2452 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif
PID 2452 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe

"C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 20551

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 20551\Victoria.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Designation + Chorus + Place 20551\B

C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

20551\Victoria.pif 20551\B

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

Network

Country Destination Domain Proto
US 8.8.8.8:53 EDLqDEKyDDmwTX.EDLqDEKyDDmwTX udp
GB 2.16.34.106:443 tcp
US 20.42.73.24:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
RU 82.146.45.177:80 tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 2.20.37.224:443 cxcs.microsoft.net tcp
GB 2.20.37.224:443 cxcs.microsoft.net tcp
GB 92.123.128.181:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Latter

MD5 202cd0ed4d5a42ef36c223e2e041bae9
SHA1 814d8e675a6c57811052f1f116e51605f11c5c7a
SHA256 dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10
SHA512 e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60

C:\Users\Admin\AppData\Local\Temp\Prev

MD5 8d019b45973901b4854eec33096d05c0
SHA1 1dfb37a78659ba3917c6479ead9c9f645bbb8331
SHA256 d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3
SHA512 9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1

C:\Users\Admin\AppData\Local\Temp\Eight

MD5 521f2aed387524bdd7052bb4f23c0018
SHA1 7c57b9c934705f1ba9418840afef2f0af8e69168
SHA256 d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a
SHA512 73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474

C:\Users\Admin\AppData\Local\Temp\Publishing

MD5 5c3dd15e00b94c2d9b169d10e4f89144
SHA1 32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620
SHA256 d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4
SHA512 1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb

C:\Users\Admin\AppData\Local\Temp\Planning

MD5 9bb02422262416ba9e804e520ab576be
SHA1 3d6b62a8f9d8d846c8e05495819b5320ada507c6
SHA256 fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97
SHA512 febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9

C:\Users\Admin\AppData\Local\Temp\Designation

MD5 c1cc1aa18b9007c18d77d379897ca025
SHA1 64c85a49243812f66e0dd819129cb99ee10ef763
SHA256 5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc
SHA512 791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310

C:\Users\Admin\AppData\Local\Temp\Chorus

MD5 6289f0044be469e5cc5d78425de1ecd2
SHA1 1633cbe5c9c79ff74cef4ef8d44221d16dc7c674
SHA256 68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434
SHA512 256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70

C:\Users\Admin\AppData\Local\Temp\Objectives

MD5 93fc6d378cf9f3e4bd856b24e758032b
SHA1 23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536
SHA256 21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad
SHA512 e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e

C:\Users\Admin\AppData\Local\Temp\Place

MD5 9ea9a13f6966bda0647d6f83f6d257fb
SHA1 36d5c6d95368508c5878bf08e2a2bc753aaf7aec
SHA256 5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3
SHA512 4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a

C:\Users\Admin\AppData\Local\Temp\20551\Victoria.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\20551\B

MD5 2ea6936964f3396a440d6fcd1d0e6a40
SHA1 c1b605042274a26061f9b3acf6e3e3c84d0dd27d
SHA256 ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27
SHA512 8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5

memory/2452-23-0x0000000077751000-0x0000000077873000-memory.dmp

memory/2452-24-0x0000000004420000-0x0000000004421000-memory.dmp

memory/396-26-0x0000000000400000-0x0000000000416000-memory.dmp

memory/396-27-0x0000000000400000-0x0000000000416000-memory.dmp

memory/396-29-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 02:05

Reported

2024-03-06 02:08

Platform

win11-20240221-en

Max time kernel

30s

Max time network

142s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$TEMP\Designation.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$TEMP\Designation.ps1

Network

Files

memory/2336-0-0x0000021F7C980000-0x0000021F7C9A2000-memory.dmp

memory/2336-9-0x00007FF938950000-0x00007FF939412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqnqzltt.nhe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2336-10-0x0000021F7CA30000-0x0000021F7CA40000-memory.dmp

memory/2336-11-0x0000021F7CA30000-0x0000021F7CA40000-memory.dmp

memory/2336-14-0x00007FF938950000-0x00007FF939412000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-06 02:05

Reported

2024-03-06 02:06

Platform

win11-20240221-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A