raccoon | 9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Analysis

max time kernel
133s
max time network
150s
resource
win10v191014

Sharing

Copy URL

Twitter E-mail

General

Target

crypted[1].bin
Sample

191129-bykghah8ge
SHA256

9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Score

N/A

Malware Config

Signatures

Checks for installed software on the system 1 TTPs 1 IoCs

discovery

Query Registry

T1012

Processes:

crypted[1].bin.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	4964	crypted[1].bin.exe

Drops file in system dir 5 IoCs

Processes:

svchost.exe

description	ioc	pid	process
File opened for modification	C:\Windows\Debug\ESE.TXT	3700	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3700	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3700	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3700	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3700	svchost.exe

raccoon family
family raccoon

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SppExtComObj.execrypted[1].bin.execmd.exe

description	pid	process	target process
PID 5036 wrote to memory of 5064	5036	SppExtComObj.exe	SLUI.exe
PID 4964 wrote to memory of 3996	4964	crypted[1].bin.exe	cmd.exe
PID 3996 wrote to memory of 3972	3996	cmd.exe	PING.EXE

Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 4964 crypted[1].bin.exe
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Nichrome\User Data\ 4964 crypted[1].bin.exe
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 4964 crypted[1].bin.exe
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Chedot\User Data\ 4964 crypted[1].bin.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

crypted[1].bin.exe

pid process

4964 crypted[1].bin.exe
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 4964 crypted[1].bin.exe
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 4964 crypted[1].bin.exe
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 4964 crypted[1].bin.exe
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 4964 crypted[1].bin.exe
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 4964 crypted[1].bin.exe
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 4964 crypted[1].bin.exe
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 4964 crypted[1].bin.exe
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 4964 crypted[1].bin.exe
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Suhba\User Data\ 4964 crypted[1].bin.exe
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 4964 crypted[1].bin.exe
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 4964 crypted[1].bin.exe
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Chromium\User Data\ 4964 crypted[1].bin.exe
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Bromium\User Data\ 4964 crypted[1].bin.exe
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Go!\User Data\ 4964 crypted[1].bin.exe
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 4964 crypted[1].bin.exe
Accesses Bither wallet, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

description ioc pid process

File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 4964 crypted[1].bin.exe
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\RockMelt\User Data\ 4964 crypted[1].bin.exe
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Kometa\User Data\ 4964 crypted[1].bin.exe
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 4964 crypted[1].bin.exe
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\TorBro\Profile\ 4964 crypted[1].bin.exe
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Torch\User Data\ 4964 crypted[1].bin.exe
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Orbitum\User Data\ 4964 crypted[1].bin.exe
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 4964 crypted[1].bin.exe
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Superbird\User Data\ 4964 crypted[1].bin.exe
Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3972 PING.EXE

ioc	pid	process
C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Nichrome\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Chedot\User Data\	4964	crypted[1].bin.exe

pid	process
4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\CentBrowser\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\QIP Surf\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\7Star\7Star\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Suhba\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Chromium\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Bromium\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Go!\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\	4964	crypted[1].bin.exe

description	ioc	pid	process
File opened (read-only)	C:\Users\Admin\AppData\Roaming\Bither\address.db	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\RockMelt\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Kometa\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Elements Browser\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\TorBro\Profile\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Torch\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Orbitum\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Superbird\User Data\	4964	crypted[1].bin.exe

pid	process
3972	PING.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4336	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4336	svchost.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4056	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4056	svchost.exe

4 IoCs

Processes:

crypted[1].bin.exe

ioc
drive.google.com
File opened for modification	C:\Users\Admin\AppData\Local\Temp\machineinfo.txt	4964	crypted[1].bin.exe
HTTP URL	http://34.76.145.229/gate/log.php
HTTP URL	http://34.76.145.229/file_handler/file.php?hash=b0813e2ec23140aca46c76857579fd82f11ff08c&js=edeed05e16b0151de24438557e57c3516e522684&callback=http://34.76.145.229/gate

Loads dropped DLL 1 IoCs

Processes:

crypted[1].bin.exe

pid process

4964 crypted[1].bin.exe
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Amigo\User Data\ 4964 crypted[1].bin.exe
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 4964 crypted[1].bin.exe
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
spyware

Data from Local System
T1005

Processes:

crypted[1].bin.exe

ioc pid process

C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 4964 crypted[1].bin.exe

pid	process
4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Amigo\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Local\Vivaldi\User Data\	4964	crypted[1].bin.exe

ioc	pid	process
C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\	4964	crypted[1].bin.exe

C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
1⤵
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
- Reads Dragon user data, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Suspicious use of SetWindowsHookEx
- Reads Uran user data, possible credential harvesting
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Secure browser user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Suhba user data, possible credential harvesting
- Reads Chrome user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Reads Chromium user data, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Go! user data, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Accesses Bither wallet, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads Sputnik user data, possible credential harvesting
- Reads Superbird user data, possible credential harvesting
- Loads dropped DLL
- Reads Amigo user data, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
- Reads Pale Moon browser user profile, possible credential harvesting
PID:4964

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
1⤵
- Runs ping.exe
PID:3972

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:3700

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3128

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4336

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1081
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Download Submit