raccoon | d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
Size

12.5MB
MD5

bb619be51f4802c7a898ae74c5d1eabe
SHA1

786d74917eda2e000a65806eda9734d33d20399c
SHA256

d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248
SHA512

88ccbc59ba122ffe3a8ee65bf93ec7b40210bb69f35d4aae8edb907a76a824abd7b71f5ac35972ce59c7f89c96cfe7ac92aca903b4d78ff0b15d5617a2a5c905
SSDEEP

393216:yGEDG5J4uYTKWl+IEDHCYMF7FjrBcmAT4ejQe:y1a7gTKw+/DHtGimzze

Score

10^/10

raccoon 517bb0d640c1242c3f069aab3d1018d6 defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

517bb0d640c1242c3f069aab3d1018d6

http://51.195.166.178/

http://5.252.177.22

Attributes

user_agent
x

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
behavioral1/memory/2944-101-0x0000000000400000-0x0000000000DAB000-memory.dmp	family_raccoon_v2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 5 IoCs

pid	Process
2792	Logo1_.exe
2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
2944	fdioadhvsbljrhnwpp.c.exe
3044	RedGiant Activation Service Unlocker 2023.1.2.exe
1700	RedGiant Activation Service Unlocker 2023.1.2.tmp

Loads dropped DLL 3 IoCs

pid	Process
2772	cmd.exe
3044	RedGiant Activation Service Unlocker 2023.1.2.exe
1700	RedGiant Activation Service Unlocker 2023.1.2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File created	C:\Windows\Logo1_.exe	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedGiant Activation Service Unlocker 2023.1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdioadhvsbljrhnwpp.c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedGiant Activation Service Unlocker 2023.1.2.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2792	Logo1_.exe
2108	powershell.exe
2944	fdioadhvsbljrhnwpp.c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	RedGiant Activation Service Unlocker 2023.1.2.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 112	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	29
PID 904 wrote to memory of 112	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	29
PID 904 wrote to memory of 112	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	29
PID 904 wrote to memory of 112	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	29
PID 112 wrote to memory of 2372	112	net.exe	31
PID 112 wrote to memory of 2372	112	net.exe	31
PID 112 wrote to memory of 2372	112	net.exe	31
PID 112 wrote to memory of 2372	112	net.exe	31
PID 904 wrote to memory of 2772	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	32
PID 904 wrote to memory of 2772	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	32
PID 904 wrote to memory of 2772	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	32
PID 904 wrote to memory of 2772	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	32
PID 904 wrote to memory of 2792	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	34
PID 904 wrote to memory of 2792	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	34
PID 904 wrote to memory of 2792	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	34
PID 904 wrote to memory of 2792	904	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	34
PID 2792 wrote to memory of 2856	2792	Logo1_.exe	35
PID 2792 wrote to memory of 2856	2792	Logo1_.exe	35
PID 2792 wrote to memory of 2856	2792	Logo1_.exe	35
PID 2792 wrote to memory of 2856	2792	Logo1_.exe	35
PID 2856 wrote to memory of 2832	2856	net.exe	37
PID 2856 wrote to memory of 2832	2856	net.exe	37
PID 2856 wrote to memory of 2832	2856	net.exe	37
PID 2856 wrote to memory of 2832	2856	net.exe	37
PID 2772 wrote to memory of 2740	2772	cmd.exe	38
PID 2772 wrote to memory of 2740	2772	cmd.exe	38
PID 2772 wrote to memory of 2740	2772	cmd.exe	38
PID 2772 wrote to memory of 2740	2772	cmd.exe	38
PID 2792 wrote to memory of 2612	2792	Logo1_.exe	39
PID 2792 wrote to memory of 2612	2792	Logo1_.exe	39
PID 2792 wrote to memory of 2612	2792	Logo1_.exe	39
PID 2792 wrote to memory of 2612	2792	Logo1_.exe	39
PID 2612 wrote to memory of 2692	2612	net.exe	41
PID 2612 wrote to memory of 2692	2612	net.exe	41
PID 2612 wrote to memory of 2692	2612	net.exe	41
PID 2612 wrote to memory of 2692	2612	net.exe	41
PID 2792 wrote to memory of 1200	2792	Logo1_.exe	20
PID 2792 wrote to memory of 1200	2792	Logo1_.exe	20
PID 2740 wrote to memory of 2108	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	42
PID 2740 wrote to memory of 2108	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	42
PID 2740 wrote to memory of 2108	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	42
PID 2740 wrote to memory of 2944	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	44
PID 2740 wrote to memory of 2944	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	44
PID 2740 wrote to memory of 2944	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	44
PID 2740 wrote to memory of 2944	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	44
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 2740 wrote to memory of 3044	2740	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	45
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46
PID 3044 wrote to memory of 1700	3044	RedGiant Activation Service Unlocker 2023.1.2.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
  "C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9D29.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
      "C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAFgAZgB4AGcAcwAjAD4AQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBYAHkAdwBuAHkAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBYAHkAeQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFgAbQBhAGQAagB4ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe
        
        C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
    - - C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe
        
        "C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\is-IE4O4.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IE4O4.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp" /SL5="$90116,4730505,799744,C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
251266ebdba8eb37fc9191cf6bb88827

SHA1
528c138cbe80ad164f12c5a1d785a7e257a0121a

SHA256
f0074146b909feb2fcad4cf0082001e44dddd418c36a839a2b6654983d908897

SHA512
aa242db5a920b98164870844ddcf7efcca4bae35f1a5ef6ce711a0cc97880aa09d8da3445f91ff201035702ab9fa9a6ea51553f4a34207310bf16bbeceed9b49

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
88ad7d8fda8f28f4158674f703593beb

SHA1
0d46d32eaa5443394fc3ed2d7b9fa9bdb741f638

SHA256
b36756dce5da5d35e9a1b9dda1ccd8022a20a80db95c0e6674685bdf5725b5b4

SHA512
968b4beae8303f103d16cf1d74e4f4837c3351b8633d71947a9d0735d74677cf52d72a573887d4dce99c680b63f8d8a7c6eec90f2cd1a35e884eaa0943e24b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9D29.bat

Filesize
722B

MD5
10f3c4e7d4e25d73b54dda8542ab0003

SHA1
402c5f34db430d5c6505f175b9ca2f8b2464225d

SHA256
65b74694e6efd42226cdc57acc1322f77f3824bbeff16008e537eda5ed6c263f

SHA512
0d33c581db51c0c62fb72b1c81f6e013286cc2a84422c48a26787e0595810e032f9ada9e937cb63706641f360b78b2a7380829f02c52bb94be5852c858f42e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe.exe

Filesize
12.5MB

MD5
2f68989638c0e6124cc0525417001ace

SHA1
0d916a356cd385959dbc314fa126419733aa4dfa

SHA256
29e8fccc4020e6cd7f56c57bc966859d225b00b34879e1d931482aa0e005bf02

SHA512
53927c018ce5c9e5908b2516983408d9ceae4baddcdc1bf4ba04dea00d8de67a6bf664fd7f27ac22d4503f147528b0abe0a0b5199c2a6f4de315b8b08a6ef7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IE4O4.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp

Filesize
3.0MB

MD5
9ff8be30eebc2a9b6dc5a804f29531e9

SHA1
d60abf4909f8d3ea14795909d00cf0ae0742c354

SHA256
186253b7a1b9c4b1c67f443de5f2082c0131a6cebdb91966cd89dfe5d059f818

SHA512
f5c275635c9ed1b2ac15c5389bb04271911ec19cb4f67e614849f667d61e9eb523050ebec8bd94ad9934a56f8b06cfacfe868a90b07599e3bcd55d16732ce11f

Download Submit
C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe

Filesize
5.4MB

MD5
b304606be450eecc3d74798b31bd2488

SHA1
fd395643473f33dff91302fa0e96576d004625f0

SHA256
80a350ee738eb51b11204cfc7a049dcbd0280cee951416d3f2947e5d261ba8e6

SHA512
722389462b32245c5b7e5708b729bb254fd167d23c09cd0fe21d43ffb741e278b20f707bd64dc8f5b6e3c6c5f8946ea701e9d5f4d5d2bbc3e57f38fbc851f41b

Download Submit
C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe

Filesize
6.2MB

MD5
e312dd005a48906180a3f6baecdc2785

SHA1
0f3f16547903f9fb5c9b39dbfc0699e416202814

SHA256
a1358ad86b3fa37548bb2534e3719661e1938dbcaf9cd5b0542e56df1750e4e4

SHA512
613c2c1ba044b4b84ae368e75fa4b011539c1adba11199ee3aa310e4cbac30112afe24bc6cc67ff125663e5460b6d6116abe9738ed0d1a0b31f6808b82494a45

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d2951ddc3b3d2d7856a44d7e47c5393e

SHA1
2d387f9dbb5bb22b9caddb65067a8b82ff233696

SHA256
947bc93ef7df82923137c892303eed1de630f9f2c26cd77da3a994f0033914be

SHA512
fd4728a01890bbae63434001ee651583c91e331d333da82634b3630f9208f052b5201d3477b85ff7bff6e8d16c8b5ee12f30e56b6cc72bf8d6fb139729914cad

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
9B

MD5
f74f4ac317419affe59fa4d389dd7e7c

SHA1
010f494382d5a64298702fe3732c9b96f438c653

SHA256
74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

SHA512
f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

Download Submit
\Users\Admin\AppData\Local\Temp\is-AB5C9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/904-18-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/904-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-17-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/904-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-33-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1700-105-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2108-50-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2108-51-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2740-57-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

Filesize
4KB

Download
memory/2740-28-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

Filesize
4KB

Download
memory/2740-31-0x0000000000C60000-0x00000000018E4000-memory.dmp

Filesize
12.5MB

Download
memory/2792-9373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-3380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-5846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-1410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2944-75-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2944-93-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2944-90-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2944-88-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2944-85-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2944-83-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2944-80-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2944-78-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2944-98-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2944-76-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2944-66-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2944-101-0x0000000000400000-0x0000000000DAB000-memory.dmp

Filesize
9.7MB

Download
memory/2944-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2944-95-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2944-73-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2944-70-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2944-68-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3044-104-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3044-53-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download