| File name: | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| Full analysis: | https://app.any.run/tasks/da1a65e5-60da-4abe-b498-fb98dfa484cd |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 13:59:31 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 9EAD10C08E72AE41921191F8DB39BC16 |
| SHA1: | ABE3BCE01CD34AFC88E2C838173F8C2BD0090AE1 |
| SHA256: | 8D7F0E6B6877BDFB9F4531AFAFD0451F7D17F0AC24E2F2427E9B4ECC5452B9F0 |
| SSDEEP: | 192:9UEc8b6H1LE+4LoGgMatAJ2lzUw317NyEpvNHhqyoG:9UUE1BYoGza/D3170kiyoG |
MALICIOUS
Drops the executable file immediately after the start
- 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe (PID: 3060)
Uses Task Scheduler to run other applications
- 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe (PID: 3060)
- mstsca.exe (PID: 2624)
RACCOONCLIPPER has been detected (YARA)
- mstsca.exe (PID: 2624)
SUSPICIOUS
The process executes via Task Scheduler
- mstsca.exe (PID: 2624)
INFO
Manual execution by a user
- wmpnscfg.exe (PID: 4032)
Checks supported languages
- wmpnscfg.exe (PID: 4032)
- 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe (PID: 3060)
- mstsca.exe (PID: 2624)
Creates files or folders in the user directory
- 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe (PID: 3060)
Reads the computer name
- wmpnscfg.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RaccoonClipper
(PID) Process(2624) mstsca.exe
Wallets (14)t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN
bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v
MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk
0xa6360e294DfCe4fE4Edf61b170c76770691aA111
bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23
DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc
ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym
1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z
42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2
3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP
Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE
LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis
addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl
89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:07:31 00:44:12+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.24 |
| CodeSize: | 4608 |
| InitializedDataSize: | 4608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1afa |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2624 | C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe | taskeng.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
RaccoonClipper(PID) Process(2624) mstsca.exe Wallets (14)t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk 0xa6360e294DfCe4fE4Edf61b170c76770691aA111 bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23 DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym 1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z 42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2 3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl 89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ | |||||||||||||||
| 2644 | /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe" | C:\Windows\System32\schtasks.exe | — | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2780 | /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe" | C:\Windows\System32\schtasks.exe | — | mstsca.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3060 | "C:\Users\admin\AppData\Local\Temp\8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe" | C:\Users\admin\AppData\Local\Temp\8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 4294967295 Modules
| |||||||||||||||
| 4032 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
52
Read events
52
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3060 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0.exe | C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe | executable | |
MD5:9EAD10C08E72AE41921191F8DB39BC16 | SHA256:8D7F0E6B6877BDFB9F4531AFAFD0451F7D17F0AC24E2F2427E9B4ECC5452B9F0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
868 | svchost.exe | 23.35.228.137:80 | — | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
868 | svchost.exe | 95.101.148.135:80 | armmf.adobe.com | Akamai International B.V. | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |