raccoon | 86c1ba04c2400da557124c31d3366eb792080a254e6166e7a426a27b0cd16693

General

Target

9ae5b3d8924d251ed4799a1223da2aac.exe
Size

514KB
MD5

f419548a046f3238df9d95d40e3a8fdd
SHA1

76fda035703781cfe5f785b8f230e7db6eef2abf
SHA256

86c1ba04c2400da557124c31d3366eb792080a254e6166e7a426a27b0cd16693
SHA512

cca8b94d53abde68c7fcf83fa246674cea3c607e65164d59824ec940b720560c33574c1e2e40c811667f9c685d61017eb27ca03bf671a159c4d8066ccf12f36d

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1636 1056 WerFault.exe 9ae5b3d8924d251ed4799a1223da2aac.exe

pid	pid_target	process	target process
1636	1056	WerFault.exe	9ae5b3d8924d251ed4799a1223da2aac.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9ae5b3d8924d251ed4799a1223da2aac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	9ae5b3d8924d251ed4799a1223da2aac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9ae5b3d8924d251ed4799a1223da2aac.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1636 WerFault.exe

pid	process
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1636	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9ae5b3d8924d251ed4799a1223da2aac.exe

description	pid	process	target process
PID 1056 wrote to memory of 1636	1056	9ae5b3d8924d251ed4799a1223da2aac.exe	WerFault.exe
PID 1056 wrote to memory of 1636	1056	9ae5b3d8924d251ed4799a1223da2aac.exe	WerFault.exe
PID 1056 wrote to memory of 1636	1056	9ae5b3d8924d251ed4799a1223da2aac.exe	WerFault.exe
PID 1056 wrote to memory of 1636	1056	9ae5b3d8924d251ed4799a1223da2aac.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe
"C:\Users\Admin\AppData\Local\Temp\9ae5b3d8924d251ed4799a1223da2aac.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 928
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-0-0x00000000024B7000-0x00000000024B8000-memory.dmp

Filesize
4KB

Download
memory/1056-1-0x0000000003E30000-0x0000000003E41000-memory.dmp

Filesize
68KB

Download
memory/1636-2-0x0000000000000000-mapping.dmp

Download
memory/1636-3-0x0000000002280000-0x0000000002291000-memory.dmp

Filesize
68KB

Download
memory/1636-4-0x0000000002280000-0x0000000002291000-memory.dmp

Filesize
68KB

Download
memory/1636-6-0x0000000002810000-0x0000000002821000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing