raccoon | d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
Size

12.5MB
MD5

bb619be51f4802c7a898ae74c5d1eabe
SHA1

786d74917eda2e000a65806eda9734d33d20399c
SHA256

d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248
SHA512

88ccbc59ba122ffe3a8ee65bf93ec7b40210bb69f35d4aae8edb907a76a824abd7b71f5ac35972ce59c7f89c96cfe7ac92aca903b4d78ff0b15d5617a2a5c905
SSDEEP

393216:yGEDG5J4uYTKWl+IEDHCYMF7FjrBcmAT4ejQe:y1a7gTKw+/DHtGimzze

Score

10^/10

raccoon 517bb0d640c1242c3f069aab3d1018d6 defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

517bb0d640c1242c3f069aab3d1018d6

http://51.195.166.178/

http://5.252.177.22

Attributes

user_agent
x

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
behavioral2/memory/1896-58-0x0000000000400000-0x0000000000DAB000-memory.dmp	family_raccoon_v2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 5 IoCs

pid	Process
2452	Logo1_.exe
620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
1896	fdioadhvsbljrhnwpp.c.exe
2256	RedGiant Activation Service Unlocker 2023.1.2.exe
532	RedGiant Activation Service Unlocker 2023.1.2.tmp

Loads dropped DLL 1 IoCs

pid	Process
532	RedGiant Activation Service Unlocker 2023.1.2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vreg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File created	C:\Windows\Logo1_.exe	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdioadhvsbljrhnwpp.c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedGiant Activation Service Unlocker 2023.1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedGiant Activation Service Unlocker 2023.1.2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe
2452	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2912	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	84
PID 4820 wrote to memory of 2912	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	84
PID 4820 wrote to memory of 2912	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	84
PID 2912 wrote to memory of 4384	2912	net.exe	86
PID 2912 wrote to memory of 4384	2912	net.exe	86
PID 2912 wrote to memory of 4384	2912	net.exe	86
PID 4820 wrote to memory of 384	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	89
PID 4820 wrote to memory of 384	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	89
PID 4820 wrote to memory of 384	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	89
PID 4820 wrote to memory of 2452	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	91
PID 4820 wrote to memory of 2452	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	91
PID 4820 wrote to memory of 2452	4820	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	91
PID 2452 wrote to memory of 5020	2452	Logo1_.exe	92
PID 2452 wrote to memory of 5020	2452	Logo1_.exe	92
PID 2452 wrote to memory of 5020	2452	Logo1_.exe	92
PID 5020 wrote to memory of 1712	5020	net.exe	94
PID 5020 wrote to memory of 1712	5020	net.exe	94
PID 5020 wrote to memory of 1712	5020	net.exe	94
PID 384 wrote to memory of 620	384	cmd.exe	95
PID 384 wrote to memory of 620	384	cmd.exe	95
PID 2452 wrote to memory of 4744	2452	Logo1_.exe	97
PID 2452 wrote to memory of 4744	2452	Logo1_.exe	97
PID 2452 wrote to memory of 4744	2452	Logo1_.exe	97
PID 4744 wrote to memory of 1336	4744	net.exe	99
PID 4744 wrote to memory of 1336	4744	net.exe	99
PID 4744 wrote to memory of 1336	4744	net.exe	99
PID 2452 wrote to memory of 3576	2452	Logo1_.exe	56
PID 2452 wrote to memory of 3576	2452	Logo1_.exe	56
PID 620 wrote to memory of 1532	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	100
PID 620 wrote to memory of 1532	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	100
PID 620 wrote to memory of 1896	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	102
PID 620 wrote to memory of 1896	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	102
PID 620 wrote to memory of 1896	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	102
PID 620 wrote to memory of 2256	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	103
PID 620 wrote to memory of 2256	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	103
PID 620 wrote to memory of 2256	620	d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe	103
PID 2256 wrote to memory of 532	2256	RedGiant Activation Service Unlocker 2023.1.2.exe	104
PID 2256 wrote to memory of 532	2256	RedGiant Activation Service Unlocker 2023.1.2.exe	104
PID 2256 wrote to memory of 532	2256	RedGiant Activation Service Unlocker 2023.1.2.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
  "C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA836.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe
      "C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAFgAZgB4AGcAcwAjAD4AQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBYAHkAdwBuAHkAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBYAHkAeQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFgAbQBhAGQAagB4ACMAPgA="
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe
        
        C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
    - - C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe
        
        "C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\is-5EM7C.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5EM7C.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp" /SL5="$F01CE,4730505,799744,C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
664d7138b147066281f05bfefa7c9173

SHA1
1ee532e15f59c95846c7587b591ef0be6abe9ddd

SHA256
f9395075f85cdfc06531e2ace0cb411094d569eb78e584528e287a8c3d0b5fcf

SHA512
6e23c0d1800f2b453b04d4b9e44c1f384a805d3ae55db85cc2569aafc48a29997e40bec3680f7a2e74d467761934ddd7c066be3bddfbaa0536abf70cf5088766

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
a963c64a4a6fad2cc2c8b3f84501c749

SHA1
406b4af376521adb0227eb36fb5ab75000d4293a

SHA256
d5dbed7723eadaceabdb9bbee9b42b82c9f24906ae155bc07a9d4ad3cca9d1c9

SHA512
7ca2583fc561bfa09dabf365075720cfef3d2128e9f356a66af1a1968dbe9382832f861e6aff628e13d26175aa86058f028d1482eb9e75b13bf9e6c6e46f8ebb

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
e0ed23e7c91d644dae4f0113cc56ae69

SHA1
06d2cac840c66fa7f56bba65a4921b80be5652c1

SHA256
34c0454eb2bd9f79673ded60182bbee65bde74b1fbdc32e81e61c122f949240e

SHA512
a780b7fc5a7128a355e9f2283ed9aca92d3ac9af2a3ea2a88568e75778b57179531144a6cb42de6b482a622850fa2cef8e3ccc3439a44601bdee81b970b1d42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA836.bat

Filesize
722B

MD5
ce21cdafe7f4ab08d840de9a1fb126b5

SHA1
8dfc2d9b4df035549f2bad697e7e65a8a63885e6

SHA256
e5211faecec5a61da96ae6cb7bfd715d8c9cc1a1d15cd9e5b39d61a88e84fea8

SHA512
30aadd6eb7c2287216d9bd545fa8ec964be283911b1542266534b264ec009def64fc8ddde3f1a0f2f9d854beb901dfa8afe4b5942e6f7733171665d7686a2435

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2z0db5r.vi1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d86982013fbd0fbad975c8149417d94179f9253bb37a6dd6be8d332d26ffe248.exe.exe

Filesize
12.5MB

MD5
2f68989638c0e6124cc0525417001ace

SHA1
0d916a356cd385959dbc314fa126419733aa4dfa

SHA256
29e8fccc4020e6cd7f56c57bc966859d225b00b34879e1d931482aa0e005bf02

SHA512
53927c018ce5c9e5908b2516983408d9ceae4baddcdc1bf4ba04dea00d8de67a6bf664fd7f27ac22d4503f147528b0abe0a0b5199c2a6f4de315b8b08a6ef7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5EM7C.tmp\RedGiant Activation Service Unlocker 2023.1.2.tmp

Filesize
3.0MB

MD5
9ff8be30eebc2a9b6dc5a804f29531e9

SHA1
d60abf4909f8d3ea14795909d00cf0ae0742c354

SHA256
186253b7a1b9c4b1c67f443de5f2082c0131a6cebdb91966cd89dfe5d059f818

SHA512
f5c275635c9ed1b2ac15c5389bb04271911ec19cb4f67e614849f667d61e9eb523050ebec8bd94ad9934a56f8b06cfacfe868a90b07599e3bcd55d16732ce11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DGNJS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\RedGiant Activation Service Unlocker 2023.1.2.exe

Filesize
5.4MB

MD5
b304606be450eecc3d74798b31bd2488

SHA1
fd395643473f33dff91302fa0e96576d004625f0

SHA256
80a350ee738eb51b11204cfc7a049dcbd0280cee951416d3f2947e5d261ba8e6

SHA512
722389462b32245c5b7e5708b729bb254fd167d23c09cd0fe21d43ffb741e278b20f707bd64dc8f5b6e3c6c5f8946ea701e9d5f4d5d2bbc3e57f38fbc851f41b

Download Submit
C:\Users\Admin\AppData\Roaming\fdioadhvsbljrhnwpp.c.exe

Filesize
6.2MB

MD5
e312dd005a48906180a3f6baecdc2785

SHA1
0f3f16547903f9fb5c9b39dbfc0699e416202814

SHA256
a1358ad86b3fa37548bb2534e3719661e1938dbcaf9cd5b0542e56df1750e4e4

SHA512
613c2c1ba044b4b84ae368e75fa4b011539c1adba11199ee3aa310e4cbac30112afe24bc6cc67ff125663e5460b6d6116abe9738ed0d1a0b31f6808b82494a45

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d2951ddc3b3d2d7856a44d7e47c5393e

SHA1
2d387f9dbb5bb22b9caddb65067a8b82ff233696

SHA256
947bc93ef7df82923137c892303eed1de630f9f2c26cd77da3a994f0033914be

SHA512
fd4728a01890bbae63434001ee651583c91e331d333da82634b3630f9208f052b5201d3477b85ff7bff6e8d16c8b5ee12f30e56b6cc72bf8d6fb139729914cad

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\_desktop.ini

Filesize
9B

MD5
f74f4ac317419affe59fa4d389dd7e7c

SHA1
010f494382d5a64298702fe3732c9b96f438c653

SHA256
74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

SHA512
f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

Download Submit
memory/532-63-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/620-17-0x0000000000340000-0x0000000000FC4000-memory.dmp

Filesize
12.5MB

Download
memory/620-16-0x00007FFA3F583000-0x00007FFA3F585000-memory.dmp

Filesize
8KB

Download
memory/1532-31-0x000002649B330000-0x000002649B352000-memory.dmp

Filesize
136KB

Download
memory/1896-51-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1896-54-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1896-55-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1896-56-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1896-57-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1896-58-0x0000000000400000-0x0000000000DAB000-memory.dmp

Filesize
9.7MB

Download
memory/1896-53-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1896-52-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2256-39-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2256-62-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2452-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-3044-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-8901-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download