Overview

overview

10

Static

static

3

cd2dda4750...7c.exe

windows7-x64

10

cd2dda4750...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd2dda475065ca19a87fef773d29837c.exe

  • Size

    1.5MB

  • MD5

    cd2dda475065ca19a87fef773d29837c

  • SHA1

    03681c4ba67b25814f388a9ec2331681a104da06

  • SHA256

    86be7e271ff5976401fab7697d671398ce7612b461326b60bd7c5cf82d5dd413

  • SHA512

    bc1a0d0ce804415a7ad6b35ce738145d2417c21bb53c6d803864fc67d96e8dd79b4cb17edd3dd149cdefaf36a9772a21fea1c092bfd73eeea1ee0942d64f7402

  • SSDEEP

    24576:u7WyfNGtTHMF+WNxccRzp6RXiAmJD+1ueBUUIYkBC:oHGBsF+SxF96hiVC1zBUhA

Score
10/10
raccoon7ffdc0de40d09810438d04c4d2b8f65bca253bafstealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

7ffdc0de40d09810438d04c4d2b8f65bca253baf

Attributes
  • url4cnc

    https://telete.in/happyteslafalcon

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd2dda475065ca19a87fef773d29837c.exe
    "C:\Users\Admin\AppData\Local\Temp\cd2dda475065ca19a87fef773d29837c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Chiamando.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^vMTXZfRbDiFjhouYfDZWbLTTynJzpkQjrEXNpogAoVarczDEuNhSnblKTZSAFngsszpJkzPifnOBzPnMVtjcXXNGzhTpfNVJHwMelTzMXuCZJJsrBuFAkSzzFCdXm$" Sua.html
          4⤵
            PID:2608
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
            Ingranditi.exe.com e
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com e
              5⤵
              • Deletes itself
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2672
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                6⤵
                • Executes dropped EXE
                • Gathers network information
                • Modifies system certificate store
                PID:2504
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            4⤵
            • Runs ping.exe
            PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.html
      Filesize

      451B

      MD5

      d364be2ce0e241a028d7417486ab4ded

      SHA1

      658430b4fe71bf63007a4af9722a396adf4ed67a

      SHA256

      e596a84d0a8719bbe6eca4e59cb7a6f16c64f1bb6500edf5405ba857c3e6a5dc

      SHA512

      0f10f84850db38e8df6d77df0ebaeacf79a1fa00d84783a9eee40eda99e29d33e453d477427cd504f200a30043b1c5e56415e5d41d9145d90fce4b45be2d843d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pareva.html
      Filesize

      583KB

      MD5

      f40641f6724a17eb3cc8bb4404caa6b4

      SHA1

      bd78862c8dbe4d583ba618e5fa1d2812f50726e5

      SHA256

      b9070989900ce4b0f2d4e1ef2ec4708355ae3736296d10843666b4285c308f8e

      SHA512

      ad3d90f523a7334e37932a3543390ccde9bacc9f628138a524426f91c118d8dcc9a69219886c4b8987046d465686acdbd3fc8dff12f9b1cdf6171aa295515440

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sua.html
      Filesize

      872KB

      MD5

      2fca4116a24e435da278eba9b4d141d6

      SHA1

      9c6c076c2dd023c8709bd398d9d19b6f6f9ebc30

      SHA256

      7ea5b7a7fe7d29efce69bd4d5cc704ce48d5316f9ccc7678755f92b327a8ddc0

      SHA512

      d751f80e42bce965940df55042348342ef35811b409d67be7691386c5cdbc5c0fa85ac6a193261277362e07f4004c92869d86947f803beecdec56a9e5c65e315

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Svelto.html
      Filesize

      990KB

      MD5

      30756a814cb126d3aaade64144a787c5

      SHA1

      c01865957f301263bc01ffe08fbdb4af2a3df7b1

      SHA256

      4278eecfba9f76966fa4673ab5cf9d7470984fdb21b00dfa8256199e39eb8262

      SHA512

      93ef957a21a67e46e334e8a4e8f1b2b55ea7d6fcf51e475db6bf18f8b3f7642b8f896f23adbe5061c5641d041aff14d447ed7ac7f2cf8104f8ad094f7c8cfe20

      Download Submit

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
      Filesize

      26KB

      MD5

      cabb20e171770ff64614a54c1f31c033

      SHA1

      ea18043fedaf888f04c07f71f2006f3f479c0b41

      SHA256

      c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6

      SHA512

      a6a6beff693f2e2c71c0d8e12f6964e789aa4b370c1e0191b2b0ff038801fdb0038a54c0a8f2dbc0d399d2c016f89701c6b6275b3a2b6fa74fb2a5ea817c2d3b

      Download Submit

    • memory/2504-30-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2504-33-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2504-34-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2504-35-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2672-25-0x00000000001F0000-0x00000000001F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-28-0x0000000000200000-0x0000000000202000-memory.dmp

      Filesize

      8KB

      Download