Analysis
-
max time kernel
195s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-05-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
Resource
win10-20240404-en
General
-
Target
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe
-
Size
400KB
-
MD5
273f874fb8cf5f0ea683569cc5aa1105
-
SHA1
75e0c12ddd0bf9d26e8ce5e014b2ff52476d3884
-
SHA256
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4
-
SHA512
03b1faa4a531837b6201abe4089cbfe89119c71a88cfdfa14e216040bed8cbab8595dc5c8e834fac4fedede8fd55e6982a7a9a29869b0dd30a838491959fef54
-
SSDEEP
12288:bixfqg8gtc1Ue6JGNHvrWJwdrO//2M9+Y5:bCfqZuQUe6Ji1O/F7
Malware Config
Extracted
raccoon
5bfc2fea32660a3c43ec3fa8f7188f7e
http://91.103.252.109:80
-
user_agent
SunShineMoonLight
Signatures
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe family_purelog_stealer behavioral2/memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmp family_purelog_stealer -
Raccoon Stealer V2 payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon_v2 behavioral2/memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon_v2 behavioral2/memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon_v2 -
Executes dropped EXE 3 IoCs
Processes:
countrycyber.execountrycyber.execountrycyber.exepid process 4952 countrycyber.exe 4788 countrycyber.exe 4976 countrycyber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
countrycyber.exedescription pid process target process PID 4952 set thread context of 4976 4952 countrycyber.exe countrycyber.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
countrycyber.exepid process 4952 countrycyber.exe 4952 countrycyber.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
countrycyber.exedescription pid process Token: SeDebugPrivilege 4952 countrycyber.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.execountrycyber.exedescription pid process target process PID 3496 wrote to memory of 4952 3496 f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe countrycyber.exe PID 3496 wrote to memory of 4952 3496 f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe countrycyber.exe PID 3496 wrote to memory of 4952 3496 f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe countrycyber.exe PID 4952 wrote to memory of 4788 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4788 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4788 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe PID 4952 wrote to memory of 4976 4952 countrycyber.exe countrycyber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe"C:\Users\Admin\AppData\Local\Temp\f2d0b699237e80c6347e18250fb751f8876e52821ace6b497e2870d472ed5fa4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\countrycyber.exeFilesize
357KB
MD5c643acf3f644f9e94305a546365fb300
SHA18e270c565228ec7e6856220fc8b726914430c456
SHA2569c5fb4465f201e05e9a0a6ae79fa8a27b48035f9a2a3f910c6e675ae24c53afa
SHA5128d16986b4ac1a8673310d4eccf3bcd62f0696bdd134716e37b49e959ef4a97cb1b4d4bfb8abaebd34cd3900ef4b6d479575e0dc29211120809b48fc1b55c7394
-
memory/4952-12-0x0000000006520000-0x0000000006556000-memory.dmpFilesize
216KB
-
memory/4952-13-0x0000000006560000-0x00000000065AC000-memory.dmpFilesize
304KB
-
memory/4952-7-0x0000000005D20000-0x000000000621E000-memory.dmpFilesize
5.0MB
-
memory/4952-8-0x0000000073DE0000-0x00000000744CE000-memory.dmpFilesize
6.9MB
-
memory/4952-9-0x0000000005770000-0x00000000057BE000-memory.dmpFilesize
312KB
-
memory/4952-10-0x0000000006490000-0x00000000064DE000-memory.dmpFilesize
312KB
-
memory/4952-6-0x0000000000F60000-0x0000000000FBA000-memory.dmpFilesize
360KB
-
memory/4952-5-0x0000000073DEE000-0x0000000073DEF000-memory.dmpFilesize
4KB
-
memory/4952-11-0x00000000064E0000-0x0000000006516000-memory.dmpFilesize
216KB
-
memory/4952-14-0x0000000073DEE000-0x0000000073DEF000-memory.dmpFilesize
4KB
-
memory/4952-15-0x0000000073DE0000-0x00000000744CE000-memory.dmpFilesize
6.9MB
-
memory/4952-23-0x0000000073DE0000-0x00000000744CE000-memory.dmpFilesize
6.9MB
-
memory/4976-22-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4976-17-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4976-24-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB