Analysis
-
max time kernel
193s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-04-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe
Resource
win10-20240404-en
General
-
Target
d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe
-
Size
662KB
-
MD5
f99b2b80dc83b0d952687d771833164c
-
SHA1
e872f0b4be582132c9486b0c5b86f56b12ed677e
-
SHA256
d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7
-
SHA512
8d3af87306d1196862d681c0ae20cba17606e3b1c3a7a441b9739cbd71417088622b977dae9e084a3feb589a73681a2763259f20e1901eaae332ce62c3549add
-
SSDEEP
12288:8bbrYKOCV65d6qGwqa2tqftXPoZe7YUWWd/v4ibj2xy/2+VDRceX+:8bfjOF76qGwbnVP7WWxv48j2xy/2+VH+
Malware Config
Extracted
raccoon
fda6c8debb0b6b5a1d9698b54b255a7d
http://91.92.255.182:80/
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon Stealer V2 payload 2 IoCs
resource yara_rule behavioral2/memory/2136-29-0x0000000000400000-0x0000000000416000-memory.dmp family_raccoon_v2 behavioral2/memory/2136-31-0x0000000000400000-0x0000000000416000-memory.dmp family_raccoon_v2 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4940 created 3392 4940 Charger.pif 54 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4940 Charger.pif 2136 Charger.pif -
Loads dropped DLL 3 IoCs
pid Process 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4940 set thread context of 2136 4940 Charger.pif 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1288 tasklist.exe 3124 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1724 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif 2136 Charger.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1288 tasklist.exe Token: SeDebugPrivilege 3124 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4940 Charger.pif 4940 Charger.pif 4940 Charger.pif -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4384 wrote to memory of 2592 4384 d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe 73 PID 4384 wrote to memory of 2592 4384 d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe 73 PID 4384 wrote to memory of 2592 4384 d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe 73 PID 2592 wrote to memory of 1288 2592 cmd.exe 75 PID 2592 wrote to memory of 1288 2592 cmd.exe 75 PID 2592 wrote to memory of 1288 2592 cmd.exe 75 PID 2592 wrote to memory of 3376 2592 cmd.exe 76 PID 2592 wrote to memory of 3376 2592 cmd.exe 76 PID 2592 wrote to memory of 3376 2592 cmd.exe 76 PID 2592 wrote to memory of 3124 2592 cmd.exe 78 PID 2592 wrote to memory of 3124 2592 cmd.exe 78 PID 2592 wrote to memory of 3124 2592 cmd.exe 78 PID 2592 wrote to memory of 4244 2592 cmd.exe 79 PID 2592 wrote to memory of 4244 2592 cmd.exe 79 PID 2592 wrote to memory of 4244 2592 cmd.exe 79 PID 2592 wrote to memory of 1496 2592 cmd.exe 80 PID 2592 wrote to memory of 1496 2592 cmd.exe 80 PID 2592 wrote to memory of 1496 2592 cmd.exe 80 PID 2592 wrote to memory of 4520 2592 cmd.exe 81 PID 2592 wrote to memory of 4520 2592 cmd.exe 81 PID 2592 wrote to memory of 4520 2592 cmd.exe 81 PID 2592 wrote to memory of 4300 2592 cmd.exe 82 PID 2592 wrote to memory of 4300 2592 cmd.exe 82 PID 2592 wrote to memory of 4300 2592 cmd.exe 82 PID 2592 wrote to memory of 4940 2592 cmd.exe 83 PID 2592 wrote to memory of 4940 2592 cmd.exe 83 PID 2592 wrote to memory of 4940 2592 cmd.exe 83 PID 2592 wrote to memory of 1724 2592 cmd.exe 84 PID 2592 wrote to memory of 1724 2592 cmd.exe 84 PID 2592 wrote to memory of 1724 2592 cmd.exe 84 PID 4940 wrote to memory of 2136 4940 Charger.pif 85 PID 4940 wrote to memory of 2136 4940 Charger.pif 85 PID 4940 wrote to memory of 2136 4940 Charger.pif 85 PID 4940 wrote to memory of 2136 4940 Charger.pif 85 PID 4940 wrote to memory of 2136 4940 Charger.pif 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe"C:\Users\Admin\AppData\Local\Temp\d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.bat && Emotions.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:3376
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:4244
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5974254⤵PID:1496
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MasBathroomsCompoundInjection" Participants4⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Backgrounds + Edges + Nickname 597425\M4⤵PID:4300
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\597425\Charger.pif597425\Charger.pif 597425\M4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1724
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\597425\Charger.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\597425\Charger.pif2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD555d8864e58f075cbe2dbd43a1b2908a9
SHA10d7129d95fa2ddb7fde828b22441dc53dffc5594
SHA256e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581
SHA51289ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
519KB
MD57c5ed078b300bfd41c2f2be650f83e24
SHA109799ee052fa57c3333cc6f5c58788f0b884d86f
SHA256d06eb6f7a46b61f804c21afb09a0db9b6306bd246d2c96573a392059d9e4071d
SHA512aab8e4116d0a19f746fa6c86a6dd449dc9d6f1145411a87de5977811dd693c45c7155e35f014a9c5b0cc5fc42d26f000e8feaeb4d5041f70f111b07a3ec24c4f
-
Filesize
36KB
MD5d9d6a3460990a42ade831c4f7f7437a6
SHA1c2ab0df446c2c132102efabc609f3291a2715aa7
SHA2569c324f460ef8700f418cce50ae0bbeb32dbc49ca777296e86c10a81d62fc9f45
SHA512ca46b375389e911cca756db6daa175bfb1ca86ebe24b8874759d835a8cf757bb44f8f4883862058cfafea355c814ac19312fea5c652601d0a6474116b3e5e4b1
-
Filesize
241KB
MD56bf1c1088a981a2555762644aceeb6a5
SHA1d9f7d752cecc77055aabc70a47f14faba6ff9930
SHA2562237b106c8d68de4e780b4d9a2dbdcaf4506fe20e8849771242385ccd5ccebf7
SHA512c90a16b79e794f22bff35fe2053e568f8f8b973d920c0edcc155ecc4b98f8defeaea4bb17969b62bb7d8aef23f438de62aa5af63acb7d2ae5986224eb3ae3e19
-
Filesize
238KB
MD5c8dad0972e84ff06e30fa5f0b8fef14c
SHA1c9d3639e1a944e4c1ecedb3eb354c1c4da620685
SHA256e93ee562a4599496902b3cae11cbe66a3813129403ab65d5bbd7cfc8c86cecb9
SHA512e6287b511382712021903d3a448e5c1bf7ab7da99f552049739f21cae1f9f344220a296407ada97fddf1914cee7b27f559df196d2cfe01d1392d12b139facaad
-
Filesize
11KB
MD53f107a3b8e1d4b89f3e5c439a14203b7
SHA172e8db12eb6bec8540fb78dd78b2f456fd004f39
SHA2560e393766f3291a44b595dc4054e651cd4fa6f1889a6258a064de4044ea71fb5d
SHA5125599b71f4f3a2351454ab971477185d127efc2e9cce0ec74d85e8f62756345aa029dc8cc6544509057b57213b59491963339e7a4a0ae185f652a822cbfd0b60c
-
Filesize
246KB
MD5409a158f87de7837cec1180605037444
SHA123836475f5d95963b17af723cc1bd12de0953882
SHA256eb862406e00e638fafd9da4e129600d4b991b4c503c7096cbf83e474cd87f3b2
SHA512cb303fe7796ef470f347cfdc2af2878f3821a56ec4d70856c522587a1b275deb0200bb5486dba86ce9f887a06591025a3a03127a8d84b7aa41af62995e802ab7
-
Filesize
206KB
MD5f1506cf5185cca69ed2ecd51d9fd32e4
SHA189a5857bfc4d86007f881939ee95993ae786983a
SHA256c927373ba2ffeb419ee2d6eb3eaa5dc5d3b5fe88b28f2d349577ad55638aa9a0
SHA512cda4645edabe6e666fc73f2400d7930080925bc675e5f3c9b8c2b6a33740048d89dc749df4c49c8e301f213f470769346623a98f9820208600548e0144b85837
-
Filesize
40KB
MD5a674cbcb88ac4a8dea6950ac6f9a6181
SHA152d526ef0983ab4bf1225ca33caa03c04ace6545
SHA25666653db2f26326c3ee4594cc1c91eea94903d21b9728449eb256b88d86158e51
SHA5120c1c928d18598dbd2a0c0e6a6814d11031c173713dcaa96a3fa97a99b8bcb85d9cd6d84d5879c7f91e9e616e1e9fcab2bc7ee560206c222eef97dc226fcfec96
-
Filesize
227B
MD582a38745ff9cefa0859b47b8bd69f535
SHA16f97750b298ed3f3910e5aa4044b91e7409db9d2
SHA25692f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470
SHA512d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569
-
Filesize
158KB
MD564e49019d7b6aa5eeadc5c16fab4ae67
SHA1f17af83315cc069f579c489aa25af18c1d92c43d
SHA2562c79488d71f17be266a4b5cd5f974f222f10949bfeed329a1e10cb5c362e40d7
SHA5126711042eb60320517e3b486c3126a412e2c7ff298bd06fc07f08418c6921cbbdb2135511ee4d06779b7e0eb8adc3f77a72ea715501a7bba17e698fd3a0c46b18
-
Filesize
226KB
MD5a0846c9713cba3474dadfde61236bcbd
SHA17c70d7322205b1f2af16fa877e3f59ff8b196d84
SHA25628fc13233e87d8e4b95ce98a910c43c81f7b5d42cbf166bd85c54f9aaea44292
SHA512c92655731ddb3254fdca98602c9f47a390bd191a9bf8cc0627fa17fb340d50d4221921bbc93ae5c409558d61e0d261e51c26e1d4046d8ef9e455ac721b140009
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1