Analysis Overview
SHA256
447cc0e824ccbad20d29998b9e64b792d7c40de93ebc36ac490748f4b551e02c
Threat Level: Known bad
The file FullSetup.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 21:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 21:04
Reported
2024-09-25 21:07
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Raccoon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\FullSetup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FullSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FullSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FullSetup.exe"
C:\Windows\SysWOW64\WerFault.exe
WerFault.exe //////
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Moto.eps & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tfRFLqTvsdIvUOKycksieezLBpgscdNdnOfYhOdVSSkJZtltWZlydmGwVytBLBqqCsYunLRHVcglRKMvZlxvuHZYiheoKPldRluIutFkiClUkvplaHCBiEUVsqYkJJX$" Tua.eps
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
Gli.exe.pif W
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | GAlALFMkYqNrSRhJEJl.GAlALFMkYqNrSRhJEJl | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 92.38.240.8:80 | tcp | |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Moto.eps
| MD5 | 258280b6e48ab449d2190299900d195b |
| SHA1 | d991053bdb2c36526fa5ac70c11d5cd125a63f2f |
| SHA256 | c033bde6cd385138ecc9c1726cb91aeb4c33eb3b107baf81fcaafcd24bb16d92 |
| SHA512 | 2d35d334073dd64bf08b806908d34314d17cd66e8289fe0a0ec0462070b265cc74d8f801c3dc08a7e38c08d695b52aabc5d8c5714d72519c82b607c6bdddcfff |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.eps
| MD5 | 2680f631d04f3e8f3422f5c4681d044c |
| SHA1 | 8429c33dfc52763a7c192f8134436c7ebb314cf2 |
| SHA256 | 4f3210a0dadf4bd1da643251e3ee89718c4fc90078ef6917871740b39bfcf137 |
| SHA512 | a4e60d12c1edb136a60d4f2e85518453025eb8f310eb2d94a1906b2a1165bf0a28995a64e6b943809ad6be69a6b85c3e3ac066f25012b1e705540414c6dabbc0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mise.eps
| MD5 | 0b1008510d8ad78f303d4002b429b8db |
| SHA1 | 9abf5a170d7200bec2af12949fa88be6e64f4c7a |
| SHA256 | 2b394bca6c02157946a8344d478c1e6e4295f6714dbe531360f7033748c2deb1 |
| SHA512 | de2662e6c7edd9856bee6c90760708a6cf508bb289f0765a7bf0847b9ab7ab99bce9cfbd67725dff2e98ef76a425552ece5440e3492c1bcf8cfd5fd0a80005f2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
memory/2360-14-0x00000000038A0000-0x00000000038A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hgiRTV.dll
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/1444-24-0x0000000001280000-0x0000000001292000-memory.dmp
memory/1444-32-0x0000000001280000-0x0000000001292000-memory.dmp
memory/1444-33-0x0000000001280000-0x0000000001292000-memory.dmp
memory/1444-34-0x0000000001280000-0x0000000001292000-memory.dmp