raccoon | f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6

General

Target

f7d51f78838308cdcd53b9c4f4af65e1.exe
Size

1.0MB
MD5

f7d51f78838308cdcd53b9c4f4af65e1
SHA1

cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
SHA256

f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
SHA512

3134ca19c1c0fe12a769b51909edfcc8da51b927e6414c7305d23280b8778de404759b8a56cd716a4c9fbda3f5e6b44ece160bceaa762011b35a3b40e930ae5e

Score

10^/10

raccoon ransomware stealer

Malware Config

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Executes dropped EXE 3 IoCs

Processes:

covhostjv.execovhostjv.execovhostjv.exe

pid process

1464 covhostjv.exe
1364 covhostjv.exe
952 covhostjv.exe
Loads dropped DLL 3 IoCs

Processes:

f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exe

pid process

1108 f7d51f78838308cdcd53b9c4f4af65e1.exe
1464 covhostjv.exe
1364 covhostjv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

covhostjv.exe

description pid process target process

PID 1364 set thread context of 952 1364 covhostjv.exe covhostjv.exe

pid	process
1464	covhostjv.exe
1364	covhostjv.exe
952	covhostjv.exe

pid	process
1108	f7d51f78838308cdcd53b9c4f4af65e1.exe
1464	covhostjv.exe
1364	covhostjv.exe

description	pid	process	target process
PID 1364 set thread context of 952	1364	covhostjv.exe	covhostjv.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

covhostjv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	covhostjv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	covhostjv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

covhostjv.exe

description pid process

Token: SeDebugPrivilege 1364 covhostjv.exe

description	pid	process
Token: SeDebugPrivilege	1364	covhostjv.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exe

description	pid	process	target process
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1108 wrote to memory of 1464	1108	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1464 wrote to memory of 1364	1464	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe
PID 1364 wrote to memory of 952	1364	covhostjv.exe	covhostjv.exe

C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe
"C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
MD5
183d8e2e66b0cc0b44199f82bcac409f

SHA1
800b313a0c2dad044112e66d7f430cb30371a9fc

SHA256
2be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2

SHA512
e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
MD5
183d8e2e66b0cc0b44199f82bcac409f

SHA1
800b313a0c2dad044112e66d7f430cb30371a9fc

SHA256
2be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2

SHA512
e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
MD5
183d8e2e66b0cc0b44199f82bcac409f

SHA1
800b313a0c2dad044112e66d7f430cb30371a9fc

SHA256
2be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2

SHA512
e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
memory/952-21-0x000000000043FA56-mapping.dmp

Download
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1364-13-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1364-15-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/1364-16-0x0000000000350000-0x000000000036F000-memory.dmp

Filesize
124KB

Download
memory/1364-17-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/1364-18-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1364-12-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1364-9-0x0000000000000000-mapping.dmp

Download
memory/1464-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing