Analysis
-
max time kernel
80s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
-
submitted
04-04-2024 13:14
General
-
Target
setup.exe
-
Size
736.0MB
-
MD5
73e0b140c77442a77eb4ca4d42c0faaf
-
SHA1
2e62d30b2837ccf14cd45a90ae8d63a78ddd00a2
-
SHA256
fa5dc4671c6338f598367e382e64370063381b131a5cdc9e237742df4fb326b7
-
SHA512
e089f03706b4002e52f65157adaea76e7211822ca60c55baf6fe2018b08051e6ba0e499d54832390f0d819764fd7967eb2c470fefe9bd6e85b58c5d80fecf2fd
-
SSDEEP
98304:/Ewxwl8gfUbi8kKnUH9naKErAOUEsFUITL46KceYsL4NZsktqzEU3w/5:/HwCgfUbVrOFahVhs+ITHY4rEBw
Malware Config
Extracted
raccoon
fda6c8debb0b6b5a1d9698b54b255a7d
http://91.92.255.182:80/
-
user_agent
MrBidenNeverKnow
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\4guUMCP6IRGg0lf50sNU7_mM.exeC:\Users\Admin\Documents\SimpleAdobe\4guUMCP6IRGg0lf50sNU7_mM.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Evaluation Evaluation.bat && Evaluation.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 306335⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BabesSalvationCarriesBabes" Drawings5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 30633\Mentor.pif + Adjacent + Captured + Sacred + Vagina + Lafayette + Surveys 30633\Mentor.pif5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Counting + Francisco + Honda 30633\o5⤵
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pif30633\Mentor.pif 30633\o5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.15⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\30633\Mentor.pif2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD532e8980ec2bf314de3f9626d8a1e2e5c
SHA1b1cc6c8e1cbe65810b3906c6426f15c0e02d1b56
SHA256fcdfe4b919023c5f37a23742ba5221482458d2817b81636e9bbd9e2a2363b9f5
SHA512e9b867c0e352b667e710d0dd49b42983dfe96423a90fa26ca46aea42df1e698d9e5d59866fa20a1553b81536b988078e37b25817ddf6cb593482abcb76bd28e3
-
Filesize
220KB
MD56f58d9cf9e3305acdccfb422f76a4e85
SHA17fc8795c5771a8b91320e5992d2f884bb57f9a83
SHA256c69c27ae9c2d90923b65b445f2315bc3a9126cb5e77c4eb80404f24eab0d1dd7
SHA51281e351303f9924e9b2298d46c18a819e6a309d58631e86409614342481f1cbc96d3bcf9e82cef5068cbe37aa7169004391b3b31815ff6a3f4fa8f304efabb9dd
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
14B
MD531e58e7820d68b99cbe79fafaa648de8
SHA1910fe879c305978c20b93b8ac8c25d829233d9bc
SHA256aa28297aaf8306156db4f96c282b83b4cd80543e680aad6d424de88b22f8ec57
SHA5122f5c696266f0f5f6a734bc55a23d775b15343ce66d2bcf6503008d406762ad1eb659d914293cb7095deb579366ee3bf05d84e6a038736cf925bf3094f3e45de1
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
526KB
MD5dd2acdef84b287794876c92c2a735aec
SHA11ff96f7a71f808ddaa2fc197b6299532a8fcd0fb
SHA2563a149e1f3ec43f37fb419affaf175870725b78b8fd5e42019fe6a988823d7282
SHA512664ad38efc6be0fe5a16d3670c564064d19fc27bc56397da8f798f7bb9bfcccb92e6f4b05d2f399a838dce1bff860b4e678f112b6eb90db9d3e97996f01e1524
-
Filesize
64KB
MD57474db7b5f39b27e7fbce6e370b4bf66
SHA1d4d7c4d41bded1c9d8959017cfa7846e435d93bd
SHA2560efd0625b7921c18935c66adb4b3a653a913ecd90ab3b8b1983ff4101479605f
SHA5123247a749ddde2e80cc2d1b5f9c47d5ce4af2389da59de3360d8cbc60445bd593c5fc3270fb1eb156a344d69cc00b88e02feb6600998f4e7323f4ae3219aa273a
-
Filesize
131KB
MD588edf7bb55387e597f59684273f66bb3
SHA199786b34a5db73c85a43cd4c18a8c085fed5ab89
SHA256f61189f0f701466dcc3e2f6a8e411e7878cbf9ba6bba49917d612c19b1cc6a23
SHA51284689a3c6d933710dffc4d80c0b41820a8e5a6309ba6979d07e22a638aa4db143f00ad80388871e444c3edf5332f471ec0db227ea97a3f0df2c9e2cdc5f3dd42
-
Filesize
281KB
MD5a262219e61af791c944a87d07bac0075
SHA1d74aeaa010271d13e1edc54bc73601e57f020c49
SHA2560177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0
SHA512116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb
-
Filesize
42B
MD5477a08320d6c6e2f4512d40eb08713b1
SHA17be0348f77ae584c1ef6b8de1321473da3f9aa3c
SHA256027643fd5055f08abd161719191a2ac764cdf555d452da6cb84ecfd557144529
SHA5121bebae844d70507826ca40d135d12172aba7c23c5ed6cd7f2a3d229dc8e137e641a527b63e1474a4f0e4849568aa6ce6fd3d1276772d75b7f597d6b0a51d01c0
-
Filesize
21KB
MD5b647cde3038a87c2498edec310305673
SHA16fcc09d2c62d284b66926d3605aff5510e7e9453
SHA2565c67bac057822f53f941200e27d24c5277ac742b78b3c3f5958a74a33c49b38d
SHA512db701f47fee7344c4331664ce7a0187e6b9e9d47bab386665d64a61ca3a21de24af193dd1b485fdea8a003e4cb859bee73b2ddb7e3304719df1ab3446a367482
-
Filesize
210KB
MD51bd18404bd951a8deb7845f75a6399f9
SHA1748f9977c0e7d628bad8d3d8e827100b6590cb4d
SHA25616f684e24d64d7102f8ca4feddbbc6764fc405cc3688353baa3c086f98fda1cb
SHA512b00b38068cbc363e7fd5ff4038610f56828ffe13fb7ab78b6103baf6efeb05d4e9024e7383b8b6c73a010bce87f978e163685df6f3801aaa34f5da940aac6bbe
-
Filesize
35KB
MD559c2b53fe828fde64bd2a39a5de07ee9
SHA12ed2c83a393b5e30131acaf57893dd46c1084b52
SHA2566a258a819e64d26e05f34edadd0ef7e11f58cf4d68f60aba82a71f5236e9f9eb
SHA51228f667142fb539194d66503ecbfe9ee8fdb35dbd9324b4fb27ee0b6d2b76150f0a2751d825cc11314ae42f4d30b8e2c6a941c72a3cf72126391c48a4e3437998
-
Filesize
200KB
MD54db90c416a38e4572abf3261e5dacf6a
SHA13d721f9c266090469bc46f9f3616d47611492038
SHA2563ed0263be62819660e0fd37e95ab71b30ab8409348ac4f7ed11bcba0235d570d
SHA512bd97959b027988a888010553e7fa424a8c38a7cccfd951e1b9222e5e16ce745e2a657b4dbc9238e5e8c84f66f1c238e999eba45e639f00cc928d2e5e5d66c25a
-
Filesize
125KB
MD5c68b90b18096cedb29d5dd73790b6b05
SHA100f7a79c3bb847352a8b9ef73a24bcb039890e07
SHA256f68e29a0f0c076fb5a3539f51168a73692c118cb861f3b814339a1eac86ce923
SHA512d4df00de092bebe44e13b06587052465b73e67abd5502cac1e50019d7f008e57b74352b0263d986aa95fd7a1d57bb19778661feae5305544e6a33605dd764415
-
Filesize
131KB
MD55bf3a39ef1e55247138748c2975a6873
SHA160d6c0a87fad62c31824f31c6def118541749698
SHA25610609820e62098fd90b9344a9ece578451f913433fc8b53dbab9007db210fdb7
SHA5122d9740527edfb51702f8b7c6c4123f530f559dada973455533f493dee2c5ebdcd1de47d9d47e4b35a2bf850d5c244c9fe59a497ad27f24648a848ca52221129b
-
Filesize
270KB
MD575e4a838cff0be8ef793640d1011129c
SHA19788327d28e5c5fb43d03856f395a863f7ecf9a0
SHA2563bbf6b504ffec824edc168cb1a11121a5b360361ee192f5923aa11e9afe985e0
SHA51219f1a02ded1f1b79823eb6c6a5e4790412dab2a5395ac83e6ec6e5639fce642f45bb7403b995152dee31c2454063ac7da389676b3605fb57d2950440f7bb4a2e
-
Filesize
718KB
MD51bf24ce8b5e34930932432d626fac06d
SHA132276318f55c1118980f98377968de0f78c9227e
SHA256de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3
SHA512d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
10.0MB
-
Filesize
8KB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB