Overview

overview

10

Static

static

3

cd2dda4750...7c.exe

windows7-x64

10

cd2dda4750...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd2dda475065ca19a87fef773d29837c.exe

  • Size

    1.5MB

  • MD5

    cd2dda475065ca19a87fef773d29837c

  • SHA1

    03681c4ba67b25814f388a9ec2331681a104da06

  • SHA256

    86be7e271ff5976401fab7697d671398ce7612b461326b60bd7c5cf82d5dd413

  • SHA512

    bc1a0d0ce804415a7ad6b35ce738145d2417c21bb53c6d803864fc67d96e8dd79b4cb17edd3dd149cdefaf36a9772a21fea1c092bfd73eeea1ee0942d64f7402

  • SSDEEP

    24576:u7WyfNGtTHMF+WNxccRzp6RXiAmJD+1ueBUUIYkBC:oHGBsF+SxF96hiVC1zBUhA

Score
10/10
raccoon7ffdc0de40d09810438d04c4d2b8f65bca253bafstealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

7ffdc0de40d09810438d04c4d2b8f65bca253baf

Attributes
  • url4cnc

    https://telete.in/happyteslafalcon

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd2dda475065ca19a87fef773d29837c.exe
    "C:\Users\Admin\AppData\Local\Temp\cd2dda475065ca19a87fef773d29837c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Chiamando.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^vMTXZfRbDiFjhouYfDZWbLTTynJzpkQjrEXNpogAoVarczDEuNhSnblKTZSAFngsszpJkzPifnOBzPnMVtjcXXNGzhTpfNVJHwMelTzMXuCZJJsrBuFAkSzzFCdXm$" Sua.html
          4⤵
            PID:4068
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
            Ingranditi.exe.com e
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3936
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com e
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4064
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                6⤵
                • Executes dropped EXE
                • Gathers network information
                PID:3316
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            4⤵
            • Runs ping.exe
            PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        2⤵
          PID:2352
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4576

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
          Filesize

          236B

          MD5

          482ea5218dc27fe127c61acc6f16f8a0

          SHA1

          a9673286ce59d239ffc2ce996d1f774acb248598

          SHA256

          31cebffba2768bc1fec8ff816c9eb075343d00a5eeae2df375574977ab9b0d71

          SHA512

          cb35c0b5f8c90a1a3e9369078f37e7e199021ebc57d5c059b986f7495f48b4b78ab4d78ef7114cf6be1ce6ab7cde49ab929c4c8513ea475f6ec64d8934bb0123

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiamando.html
          Filesize

          451B

          MD5

          d364be2ce0e241a028d7417486ab4ded

          SHA1

          658430b4fe71bf63007a4af9722a396adf4ed67a

          SHA256

          e596a84d0a8719bbe6eca4e59cb7a6f16c64f1bb6500edf5405ba857c3e6a5dc

          SHA512

          0f10f84850db38e8df6d77df0ebaeacf79a1fa00d84783a9eee40eda99e29d33e453d477427cd504f200a30043b1c5e56415e5d41d9145d90fce4b45be2d843d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.exe.com
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pareva.html
          Filesize

          583KB

          MD5

          f40641f6724a17eb3cc8bb4404caa6b4

          SHA1

          bd78862c8dbe4d583ba618e5fa1d2812f50726e5

          SHA256

          b9070989900ce4b0f2d4e1ef2ec4708355ae3736296d10843666b4285c308f8e

          SHA512

          ad3d90f523a7334e37932a3543390ccde9bacc9f628138a524426f91c118d8dcc9a69219886c4b8987046d465686acdbd3fc8dff12f9b1cdf6171aa295515440

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sua.html
          Filesize

          872KB

          MD5

          2fca4116a24e435da278eba9b4d141d6

          SHA1

          9c6c076c2dd023c8709bd398d9d19b6f6f9ebc30

          SHA256

          7ea5b7a7fe7d29efce69bd4d5cc704ce48d5316f9ccc7678755f92b327a8ddc0

          SHA512

          d751f80e42bce965940df55042348342ef35811b409d67be7691386c5cdbc5c0fa85ac6a193261277362e07f4004c92869d86947f803beecdec56a9e5c65e315

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Svelto.html
          Filesize

          990KB

          MD5

          30756a814cb126d3aaade64144a787c5

          SHA1

          c01865957f301263bc01ffe08fbdb4af2a3df7b1

          SHA256

          4278eecfba9f76966fa4673ab5cf9d7470984fdb21b00dfa8256199e39eb8262

          SHA512

          93ef957a21a67e46e334e8a4e8f1b2b55ea7d6fcf51e475db6bf18f8b3f7642b8f896f23adbe5061c5641d041aff14d447ed7ac7f2cf8104f8ad094f7c8cfe20

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
          Filesize

          28KB

          MD5

          3a3b9a5e00ef6a3f83bf300e2b6b67bb

          SHA1

          261127183df2987de2239806dd74fe624c430608

          SHA256

          87b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81

          SHA512

          21df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04

          Download Submit

        • memory/3316-30-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

          Download

        • memory/3316-32-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

          Download

        • memory/3316-33-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

          Download

        • memory/3316-34-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

          Download

        • memory/3316-35-0x0000000000400000-0x0000000000495000-memory.dmp

          Filesize

          596KB

          Download

        • memory/4064-29-0x00000000016A0000-0x00000000016A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4064-27-0x0000000001690000-0x0000000001691000-memory.dmp

          Filesize

          4KB

          Download