Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 23:50
Static task
static1
Behavioral task
behavioral1
Sample
8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe
Resource
win10v2004-20240226-en
General
-
Target
8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe
-
Size
39.9MB
-
MD5
fd8058fe93fa938472722334f497e920
-
SHA1
9d56a463fb795a3e87b6063d554aa5538a9b31c6
-
SHA256
8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058
-
SHA512
d6179132f6bec008a8e84422aa5575bfa97f6e5c0dc6ae18508087c68e67de66896cc11659807ef54305fc4cac8c15626eb013ae62795143b044d87b94c8721b
-
SSDEEP
786432:HpP1TvbDChk+IOyS5Lir9d+woWNo9khkO5yajOAEbPA0GVRbJuah60m1G3Zr0rH:JtrnCFySCd2WhhkO5yuBwY0GVxjh60Cf
Malware Config
Extracted
raccoon
d4dfe058bb722373a292317097b425f0
http://37.49.230.152:80
http://37.49.230.219:80
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon Stealer V2 payload 4 IoCs
resource yara_rule behavioral2/memory/568-65-0x0000000000400000-0x00000000021D1000-memory.dmp family_raccoon_v2 behavioral2/memory/568-64-0x0000000000400000-0x00000000021D1000-memory.dmp family_raccoon_v2 behavioral2/memory/568-71-0x0000000000400000-0x00000000021D1000-memory.dmp family_raccoon_v2 behavioral2/memory/568-72-0x0000000000400000-0x00000000021D1000-memory.dmp family_raccoon_v2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation SpybotAntiBeacon-4.1-setup.exe -
Executes dropped EXE 4 IoCs
pid Process 3472 SpybotAntiBeacon-4.1-setup.exe 568 rywbeadtvbwehnp.exe 4652 SpybotAntiBeacon-4.1-setup.exe 4420 SpybotAntiBeacon-4.1-setup.tmp -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 568 rywbeadtvbwehnp.exe 568 rywbeadtvbwehnp.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 568 rywbeadtvbwehnp.exe 4652 SpybotAntiBeacon-4.1-setup.exe 4420 SpybotAntiBeacon-4.1-setup.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2524 wrote to memory of 3472 2524 8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe 94 PID 2524 wrote to memory of 3472 2524 8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe 94 PID 3472 wrote to memory of 4552 3472 SpybotAntiBeacon-4.1-setup.exe 96 PID 3472 wrote to memory of 4552 3472 SpybotAntiBeacon-4.1-setup.exe 96 PID 3472 wrote to memory of 568 3472 SpybotAntiBeacon-4.1-setup.exe 101 PID 3472 wrote to memory of 568 3472 SpybotAntiBeacon-4.1-setup.exe 101 PID 3472 wrote to memory of 568 3472 SpybotAntiBeacon-4.1-setup.exe 101 PID 3472 wrote to memory of 5080 3472 SpybotAntiBeacon-4.1-setup.exe 102 PID 3472 wrote to memory of 5080 3472 SpybotAntiBeacon-4.1-setup.exe 102 PID 3472 wrote to memory of 4652 3472 SpybotAntiBeacon-4.1-setup.exe 106 PID 3472 wrote to memory of 4652 3472 SpybotAntiBeacon-4.1-setup.exe 106 PID 3472 wrote to memory of 4652 3472 SpybotAntiBeacon-4.1-setup.exe 106 PID 4652 wrote to memory of 4420 4652 SpybotAntiBeacon-4.1-setup.exe 107 PID 4652 wrote to memory of 4420 4652 SpybotAntiBeacon-4.1-setup.exe 107 PID 4652 wrote to memory of 4420 4652 SpybotAntiBeacon-4.1-setup.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe"C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" rywbeadtvbwehnp.jpg rywbeadtvbwehnp.exe3⤵
- Drops file in Windows directory
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe"C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:568
-
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" SpybotAntiBeacon-4.1-setup.jpg SpybotAntiBeacon-4.1-setup.exe3⤵
- Drops file in Windows directory
PID:5080
-
-
C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp" /SL5="$130040,19094942,805888,C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD594e1adf26d5b376244529256db754967
SHA19203e37654eeacab29711f7e422b23404d33751e
SHA2562868842b82167fb7cbc0c2138ddc1e6a224845f067a3dda661b966738abfae67
SHA5129ce07f8b468928482a5c8dcd65199eccf7be16631ae3fe3fdf5e1b063078881f4abb2981d370b00e1ce396a48503708059de8e0691b2c49e9fc720ed9039c3a0
-
Filesize
1.1MB
MD5d9f12fef3781a2e3b5e28b4081e47c79
SHA19cd746a3d95cb3b0faa193a590691917f7d7ee0c
SHA25600abb5733cac11cc3bd3058825be5a441feb0c22b3114ce338f22a021e7259d9
SHA5125b01011f232598df843d8255718929364e9e6a85d66e1bec5f0925d054fd016642a1e5d776e069b29aa836cff58b2e9d2629f716db4206001aaa71a6b4f17499
-
Filesize
896KB
MD5c8c9dda242e5d0e628d2211d5feaf402
SHA13436658698cf1b13a9949665f6aa6ef10d08452a
SHA2566c5a74297c89230d625d744f7ef26b4b76253a4cfadcc6352e5fae7d88c7992b
SHA5121cae44ba3d8b12d75079042e0b01504662df5656398d050a93c302c831fc32fbeb9c9bd2c5cbb576a0c93dcd8df952c37f832d184e6005134a815d0756c1994f
-
Filesize
832KB
MD5eeeb96586ff15a52b00d170acf01ae41
SHA156810676cfc6df2d602a4c7a489cd6e332a0239a
SHA256b70280d0882494c60d41396b2266e30dd6a734503a76e4abedf08741644f7ca3
SHA512841e08d9649f99ddd3562326b32e2e45e3fae7548c0f3699d5e7ed564198dd5288664eff28aed258e7b2218ca7a1608e3447434fa6f10b4428b9c48ba4141805
-
Filesize
2.7MB
MD5cd0ce9ab05d7f430ef7a9522b4ca6eb6
SHA14869e62bc78a9962bc93bd2e4120a575cb575ae9
SHA256d0c2cd75ff96655fc14e6d37e80fd83294fdff3648e13fc60f22eee5ef068e6d
SHA5129f2f0c078c815acd1755d6c4e355e67c84bb27b03c747a8b0b77a636229f1d625fea75effebcfa168bf302a6d5b4c23e355e7fb47e35ea64afd555716d7fa112
-
Filesize
2.9MB
MD5fc3482d28e8e5b379e140c2414e3158f
SHA17bc6ad015c69c9515ab515fd3eaff33ffe527dfe
SHA256649a9557ea1675624308e97739d3d96a3c210bd77cff865c9fb0291535b2662a
SHA512d2ac1aadbb64f2656ade0e127be628bf68f7bdc5e03758df53f6ab9be010c9b2690472466726f004d6006fa410eaae014c448400e5d7dc4f042f9ee4b496bf04
-
Filesize
15.3MB
MD5940a53e55cdda4532d2dbfd4be274282
SHA185b316e65f690d89288bee35038f857b438b179b
SHA2561d26ed3d653ed5a8e54110b762d52e6504372864a8981fecc886652c7631f984
SHA512b9fae150cec1600e517b79917ddc79dff638f478a57e316bd4e3c4ffefeb7dc439fb5632794b848676944c11eaff6673bd43f54903a3a5d9cd9ee2cd11bd0fd5
-
Filesize
192KB
MD5c116bb08878a3075ee92271e14f66ae9
SHA1a6f53761b4eef8a4c43b0bff7a75ac652f9a5b12
SHA2560d57b6567e694756013a6284f0eca9e10f9eb80039282ded977e0dc3f45e689d
SHA512350efe34a6bb6255754319f4c4effcebc62f239ebd4d9bbc0854daf8f0217db0641b8ea759b41c26ff4c0821921032a117e948600121b46ef92faacb0193205d
-
Filesize
128KB
MD55fbf904a2900d3854d3ad5002d3dc152
SHA13a10ef83388bf6afbf8c94018462e34456e6dedc
SHA256ba5730ef64ebfc72fd42de645729353be128ce43067505a14387a0633cd1e582
SHA512f6d1f65725f3275e28d423c9e5fd930dd54a459092da5d0ab58c26f3a7813aa339c23088b79a6e774d5f42292c89171d0a3861160e68a5b96a69fb0ce6e1374f
-
Filesize
1.4MB
MD5cc31487fbf802d8fc47660fb3a660942
SHA193a6b350893a198e5fb73277217b0419a0a396b4
SHA256fef8c80bcaa8829fc2ead6f993343a0dd13b353df5fa5f39972011bcd7b2962f
SHA512efd3519d5ea0ef25ed759e197be95a5921431c78364c9912ff6e4d3803737a4f76e0f65de9708b21083b7264cd69d8431bbdcec57d2c2576938965ca3fd32a28
-
Filesize
2.1MB
MD59d6157d3e10de1d7a96ec3a9cfc30258
SHA1a7e173b7a32b68102d5805fad3a3fab33e78b9ab
SHA2562c7e161dbce0eef0a1706f4cfe1a785943625bf3cd67842a081258892295395d
SHA5125c599cfd986220d8d84ada740562a7a5b44747dde2fbcf0c6958de4e8f7fac61e28e3ff97f073be92b7cf91cb721ced7f89e27f3a1365bb456a0858db4dd60a2
-
Filesize
1.3MB
MD599640598d9aec850de1b0bcd440c81fb
SHA1c81c5252644384db2a3d20db513bf5bdc92276c7
SHA25617d5fa6dbc57247bef95ba3c3f9f301ed77c4adb11ae52d30459bcb2c61e73d0
SHA512186a5ca935c7b1ebbc463c1089bd11c63c546e40d389570d70844bb5b96fb0c5813855d4b101fa0c12f136e0e3f7eedbace586500c035039f3afaafd4027e04c
-
Filesize
1.1MB
MD55e4f3e2181ffbf3caf74ab8dc8d2bff8
SHA1804c7eb71fdb77104df7c867d41663c42b3f698b
SHA25632106bf7859ec72794642ee3c6c6fd22e62383caa1dc5377252870763f9f30cf
SHA512e91f02a182d5d7f1b98b560c58dc490b861f30aa546f6db7a0a639c30a365cd3ecb5161496ba167c83a718a44e84654beef01d29b6080eee59d8754cd125f0e4
-
Filesize
2.8MB
MD5a561efe4b9659652d48ada9e40a61207
SHA14a70ae137675d140cde0a07fa0ccbbb3b942096b
SHA25672654efdefaa159cde0b0197e09d71c40d30da310ac3089ea20ecd74185ff025
SHA5128330ab0f566012db26fec01b69265efeea45b31ad604eec929610458b75e016d5364de2eed2fd32aa813af96ca72a002222dc56048a45990dfaa1058b2694a6d
-
Filesize
576KB
MD5b85e1526dfb46e339eb265116922b918
SHA1bcaeffaefc04f99c7dc1c3dbe0c01e77ef5a176c
SHA256cc55190330cfeb39a75a5ce0706148cef5c00aa4efa491396396a14d25687d52
SHA512f49d90d4618e01628e779a115ef933d8c199c3598a39ee4c38d0eb5569914b26cb9e32787f33bbfa0b5f43ef8908d7cded90b505a8aa0bbcfb55350686bdee19
-
Filesize
169KB
MD5427a568d0f66768b79e9024d531b5c5e
SHA11d6f5db7a2c8d8757d3b65dc89b16b36ca2e7a95
SHA256188bfb2969e7e7506ce6d79e5c77e1ccb1d3a65588d1549ad263ab1120ae7eaa
SHA51206ae548a9ac242bdf4c80d49dc4ddc2775dd480ba1e8b7803509c093093606e8be1f48a2c7b8ca1aa7c78da4e3be53f818afd682ebec5f5a2a49801ad8c9e062