raccoon | bf97fab7ccc6d55f68b6563e8c68541f4b8db1cbcb841dce67663d9e4d7938b1

General

Target

cc5c3d6512bbc0e90d670e8a61481ca1.exe
Size

580KB
MD5

cc5c3d6512bbc0e90d670e8a61481ca1
SHA1

cd7a8e51b413de2343aac98971d37e6363863de4
SHA256

bf97fab7ccc6d55f68b6563e8c68541f4b8db1cbcb841dce67663d9e4d7938b1
SHA512

bdc5719449433ea8a9d0066d900f843b66e4817bbe893a99a798cc57d11ad0ef23f34c6b6382c4d9fc76d140a51e5da3d1167ba60940234b927fdd2eb3270662

Score

10^/10

ransomware spyware stealer raccoon discovery

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.11 Release Build compiled on Fri May 8 14:39:40 2020 Launched at: 2020.06.30 - 13:36:29 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (700 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cc5c3d6512bbc0e90d670e8a61481ca1.exefilingood.execmd.exe

description	pid	process	target process
PID 3260 wrote to memory of 3780	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	filingood.exe
PID 3260 wrote to memory of 3780	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	filingood.exe
PID 3260 wrote to memory of 3780	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	filingood.exe
PID 3260 wrote to memory of 2536	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	testoviyjuki.exe
PID 3260 wrote to memory of 2536	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	testoviyjuki.exe
PID 3260 wrote to memory of 2536	3260	cc5c3d6512bbc0e90d670e8a61481ca1.exe	testoviyjuki.exe
PID 3780 wrote to memory of 1268	3780	filingood.exe	cmd.exe
PID 3780 wrote to memory of 1268	3780	filingood.exe	cmd.exe
PID 3780 wrote to memory of 1268	3780	filingood.exe	cmd.exe
PID 1268 wrote to memory of 1504	1268	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1504	1268	cmd.exe	timeout.exe
PID 1268 wrote to memory of 1504	1268	cmd.exe	timeout.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc5c3d6512bbc0e90d670e8a61481ca1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cc5c3d6512bbc0e90d670e8a61481ca1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cc5c3d6512bbc0e90d670e8a61481ca1.exe

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

filingood.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	filingood.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	filingood.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	filingood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	filingood.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	filingood.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	filingood.exe

Executes dropped EXE 2 IoCs

Processes:

filingood.exetestoviyjuki.exe

pid process

3780 filingood.exe
2536 testoviyjuki.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2216 2536 WerFault.exe testoviyjuki.exe
Loads dropped DLL 8 IoCs

Processes:

filingood.exe

pid process

3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
3780 filingood.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1504 timeout.exe
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2216 created 2536 2216 WerFault.exe testoviyjuki.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2216 WerFault.exe
Token: SeBackupPrivilege 2216 WerFault.exe
Token: SeDebugPrivilege 2216 WerFault.exe

pid	process
3780	filingood.exe
2536	testoviyjuki.exe

pid	pid_target	process	target process
2216	2536	WerFault.exe	testoviyjuki.exe

pid	process
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe
3780	filingood.exe

pid	process
1504	timeout.exe

description	pid	process	target process
PID 2216 created 2536	2216	WerFault.exe	testoviyjuki.exe

description	pid	process
Token: SeRestorePrivilege	2216	WerFault.exe
Token: SeBackupPrivilege	2216	WerFault.exe
Token: SeDebugPrivilege	2216	WerFault.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe
2216	WerFault.exe

Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

yara_rule
raccoon_log_file

C:\Users\Admin\AppData\Local\Temp\cc5c3d6512bbc0e90d670e8a61481ca1.exe
"C:\Users\Admin\AppData\Local\Temp\cc5c3d6512bbc0e90d670e8a61481ca1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
PID:3260
- C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe
  filingood.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Checks for installed software on the system
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1504
- C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe
  testoviyjuki.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 672
    3⤵
    - Program crash
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:2216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/1268-31-0x0000000000000000-mapping.dmp

Download
memory/1504-32-0x0000000000000000-mapping.dmp

Download
memory/2216-23-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2216-14-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2536-21-0x0000000000000000-mapping.dmp

Download
memory/2536-7-0x0000000000000000-mapping.dmp

Download
memory/2536-17-0x0000000000000000-mapping.dmp

Download
memory/2536-22-0x0000000000000000-mapping.dmp

Download
memory/2536-20-0x0000000000000000-mapping.dmp

Download
memory/2536-19-0x0000000000000000-mapping.dmp

Download
memory/2536-18-0x0000000000000000-mapping.dmp

Download
memory/2536-12-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/2536-11-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3260-0-0x0000000004474000-0x0000000004475000-memory.dmp

Filesize
4KB

Download
memory/3260-1-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/3780-6-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3780-5-0x00000000041D3000-0x00000000041D4000-memory.dmp

Filesize
4KB

Download
memory/3780-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads