raccoon | 7e4edc8ffe28e350521029d003b74b2d77e74d4423c4ceb14fb4860341c8b95f

General

Target

0da5863efb6a991be6b2751f67dd481f.exe
Size

588KB
MD5

0da5863efb6a991be6b2751f67dd481f
SHA1

5396942eead1be7510ca4689c6c70111ab8ca7eb
SHA256

7e4edc8ffe28e350521029d003b74b2d77e74d4423c4ceb14fb4860341c8b95f
SHA512

5fe762a51307b284569e8639346e92ed0a5bac0bb8cd6b0a09b0e570d6bc3c84174ba565a756fe8c2b9f4eff2fa232e16e4505628cd2768b8bdf0210895a0f53

Score

10^/10

ransomware stealer raccoon spyware discovery

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.11 Release Build compiled on Fri May 8 14:39:40 2020 Launched at: 2020.06.30 - 12:08:31 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (685 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

Loads dropped DLL 8 IoCs

Processes:

filingood.exe

pid process

2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
2964 filingood.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3680 3672 WerFault.exe testoviyjuki.exe

pid	process
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe
2964	filingood.exe

pid	pid_target	process	target process
3680	3672	WerFault.exe	testoviyjuki.exe

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

filingood.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	filingood.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	filingood.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	filingood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	filingood.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	filingood.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4048 timeout.exe
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3680 created 3672 3680 WerFault.exe testoviyjuki.exe

pid	process
4048	timeout.exe

description	pid	process	target process
PID 3680 created 3672	3680	WerFault.exe	testoviyjuki.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0da5863efb6a991be6b2751f67dd481f.exefilingood.execmd.exe

description	pid	process	target process
PID 3844 wrote to memory of 2964	3844	0da5863efb6a991be6b2751f67dd481f.exe	filingood.exe
PID 3844 wrote to memory of 2964	3844	0da5863efb6a991be6b2751f67dd481f.exe	filingood.exe
PID 3844 wrote to memory of 2964	3844	0da5863efb6a991be6b2751f67dd481f.exe	filingood.exe
PID 3844 wrote to memory of 3672	3844	0da5863efb6a991be6b2751f67dd481f.exe	testoviyjuki.exe
PID 3844 wrote to memory of 3672	3844	0da5863efb6a991be6b2751f67dd481f.exe	testoviyjuki.exe
PID 3844 wrote to memory of 3672	3844	0da5863efb6a991be6b2751f67dd481f.exe	testoviyjuki.exe
PID 2964 wrote to memory of 3376	2964	filingood.exe	cmd.exe
PID 2964 wrote to memory of 3376	2964	filingood.exe	cmd.exe
PID 2964 wrote to memory of 3376	2964	filingood.exe	cmd.exe
PID 3376 wrote to memory of 4048	3376	cmd.exe	timeout.exe
PID 3376 wrote to memory of 4048	3376	cmd.exe	timeout.exe
PID 3376 wrote to memory of 4048	3376	cmd.exe	timeout.exe

Executes dropped EXE 2 IoCs

Processes:

filingood.exetestoviyjuki.exe

pid process

2964 filingood.exe
3672 testoviyjuki.exe
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

pid	process
2964	filingood.exe
3672	testoviyjuki.exe

yara_rule
raccoon_log_file

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe
3680	WerFault.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3680 WerFault.exe
Token: SeBackupPrivilege 3680 WerFault.exe
Token: SeDebugPrivilege 3680 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3680	WerFault.exe
Token: SeBackupPrivilege	3680	WerFault.exe
Token: SeDebugPrivilege	3680	WerFault.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0da5863efb6a991be6b2751f67dd481f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0da5863efb6a991be6b2751f67dd481f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0da5863efb6a991be6b2751f67dd481f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

C:\Users\Admin\AppData\Local\Temp\0da5863efb6a991be6b2751f67dd481f.exe
"C:\Users\Admin\AppData\Local\Temp\0da5863efb6a991be6b2751f67dd481f.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
PID:3844
- C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe
  filingood.exe
  2⤵
  - Loads dropped DLL
  - Checks for installed software on the system
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4048
- C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe
  testoviyjuki.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 676
    3⤵
    - Program crash
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/2964-2-0x0000000000000000-mapping.dmp

Download
memory/2964-6-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/2964-5-0x0000000004361000-0x0000000004362000-memory.dmp

Filesize
4KB

Download
memory/3376-18-0x0000000000000000-mapping.dmp

Download
memory/3672-21-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3672-26-0x0000000000000000-mapping.dmp

Download
memory/3672-15-0x0000000000000000-mapping.dmp

Download
memory/3672-30-0x0000000000000000-mapping.dmp

Download
memory/3672-29-0x0000000000000000-mapping.dmp

Download
memory/3672-22-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/3672-28-0x0000000000000000-mapping.dmp

Download
memory/3672-27-0x0000000000000000-mapping.dmp

Download
memory/3680-24-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3680-23-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3680-31-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3844-1-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/3844-0-0x0000000004354000-0x0000000004355000-memory.dmp

Filesize
4KB

Download
memory/4048-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads