raccoon | 4911fa1954ae21c905977d4a341a7984948cad6c2fd3269871d328386a0f3344

General

Target

ff47b14fae7af6baf17ccc151a0196c9.exe
Size

589KB
MD5

ff47b14fae7af6baf17ccc151a0196c9
SHA1

48b087b25dec9ed2574713d786e46c47bb156a3b
SHA256

4911fa1954ae21c905977d4a341a7984948cad6c2fd3269871d328386a0f3344
SHA512

d8d35538eaaabef971fdeeac146e3f7293330aadac799227b3193dc338101783a564acab977ae475e9ab2d15c10da0beed5490352555c93f5a375eb0eacc189b

Score

10^/10

ransomware spyware discovery stealer raccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.11 Release Build compiled on Fri May 8 14:39:40 2020 Launched at: 2020.06.30 - 13:33:27 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (684 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3912 created 732 3912 WerFault.exe testoviyjuki.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3912 created 732	3912	WerFault.exe	testoviyjuki.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff47b14fae7af6baf17ccc151a0196c9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ff47b14fae7af6baf17ccc151a0196c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ff47b14fae7af6baf17ccc151a0196c9.exe

Loads dropped DLL 8 IoCs

Processes:

filingood.exe

pid process

3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
3296 filingood.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3912 WerFault.exe
Token: SeBackupPrivilege 3912 WerFault.exe
Token: SeDebugPrivilege 3912 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

572 timeout.exe

pid	process
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe
3296	filingood.exe

description	pid	process
Token: SeRestorePrivilege	3912	WerFault.exe
Token: SeBackupPrivilege	3912	WerFault.exe
Token: SeDebugPrivilege	3912	WerFault.exe

pid	process
572	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe
3912	WerFault.exe

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

filingood.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	filingood.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	filingood.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	filingood.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	filingood.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	filingood.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	filingood.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	filingood.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ff47b14fae7af6baf17ccc151a0196c9.exefilingood.execmd.exe

description	pid	process	target process
PID 3404 wrote to memory of 3296	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	filingood.exe
PID 3404 wrote to memory of 3296	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	filingood.exe
PID 3404 wrote to memory of 3296	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	filingood.exe
PID 3404 wrote to memory of 732	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	testoviyjuki.exe
PID 3404 wrote to memory of 732	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	testoviyjuki.exe
PID 3404 wrote to memory of 732	3404	ff47b14fae7af6baf17ccc151a0196c9.exe	testoviyjuki.exe
PID 3296 wrote to memory of 1432	3296	filingood.exe	cmd.exe
PID 3296 wrote to memory of 1432	3296	filingood.exe	cmd.exe
PID 3296 wrote to memory of 1432	3296	filingood.exe	cmd.exe
PID 1432 wrote to memory of 572	1432	cmd.exe	timeout.exe
PID 1432 wrote to memory of 572	1432	cmd.exe	timeout.exe
PID 1432 wrote to memory of 572	1432	cmd.exe	timeout.exe

Executes dropped EXE 2 IoCs

Processes:

filingood.exetestoviyjuki.exe

pid process

3296 filingood.exe
732 testoviyjuki.exe
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 732 WerFault.exe testoviyjuki.exe

pid	process
3296	filingood.exe
732	testoviyjuki.exe

yara_rule
raccoon_log_file

pid	pid_target	process	target process
3912	732	WerFault.exe	testoviyjuki.exe

C:\Users\Admin\AppData\Local\Temp\ff47b14fae7af6baf17ccc151a0196c9.exe
"C:\Users\Admin\AppData\Local\Temp\ff47b14fae7af6baf17ccc151a0196c9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe
filingood.exe
2⤵
- Loads dropped DLL
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:572

C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe
testoviyjuki.exe
2⤵
- Executes dropped EXE
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 684
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\filingood.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
C:\Users\Admin\AppData\Roaming\indepopede\testoviyjuki.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/572-31-0x0000000000000000-mapping.dmp

Download
memory/732-25-0x0000000000000000-mapping.dmp

Download
memory/732-28-0x0000000000000000-mapping.dmp

Download
memory/732-8-0x0000000000000000-mapping.dmp

Download
memory/732-27-0x0000000000000000-mapping.dmp

Download
memory/732-19-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/732-20-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/732-26-0x0000000000000000-mapping.dmp

Download
memory/732-24-0x0000000000000000-mapping.dmp

Download
memory/1432-30-0x0000000000000000-mapping.dmp

Download
memory/3296-2-0x0000000000000000-mapping.dmp

Download
memory/3296-5-0x0000000004452000-0x0000000004453000-memory.dmp

Filesize
4KB

Download
memory/3296-6-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/3404-1-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3404-0-0x00000000041B4000-0x00000000041B5000-memory.dmp

Filesize
4KB

Download
memory/3912-22-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3912-21-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3912-29-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads