raccoon | f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6

General

Target

f7d51f78838308cdcd53b9c4f4af65e1.exe
Size

1.0MB
MD5

f7d51f78838308cdcd53b9c4f4af65e1
SHA1

cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
SHA256

f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
SHA512

3134ca19c1c0fe12a769b51909edfcc8da51b927e6414c7305d23280b8778de404759b8a56cd716a4c9fbda3f5e6b44ece160bceaa762011b35a3b40e930ae5e

Score

10^/10

raccoon ransomware stealer

Malware Config

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3012 created 720 3012 WerFault.exe covhostjv.exe
Executes dropped EXE 3 IoCs

Processes:

covhostjv.execovhostjv.execovhostjv.exe

pid process

3712 covhostjv.exe
2600 covhostjv.exe
720 covhostjv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

covhostjv.exe

description pid process target process

PID 2600 set thread context of 720 2600 covhostjv.exe covhostjv.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 720 WerFault.exe covhostjv.exe

description	pid	process	target process
PID 3012 created 720	3012	WerFault.exe	covhostjv.exe

pid	process
3712	covhostjv.exe
2600	covhostjv.exe
720	covhostjv.exe

description	pid	process	target process
PID 2600 set thread context of 720	2600	covhostjv.exe	covhostjv.exe

pid	pid_target	process	target process
3012	720	WerFault.exe	covhostjv.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

covhostjv.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2600	covhostjv.exe
Token: SeRestorePrivilege	3012	WerFault.exe
Token: SeBackupPrivilege	3012	WerFault.exe
Token: SeDebugPrivilege	3012	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exe

description	pid	process	target process
PID 652 wrote to memory of 3712	652	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 652 wrote to memory of 3712	652	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 652 wrote to memory of 3712	652	f7d51f78838308cdcd53b9c4f4af65e1.exe	covhostjv.exe
PID 3712 wrote to memory of 2600	3712	covhostjv.exe	covhostjv.exe
PID 3712 wrote to memory of 2600	3712	covhostjv.exe	covhostjv.exe
PID 3712 wrote to memory of 2600	3712	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe
PID 2600 wrote to memory of 720	2600	covhostjv.exe	covhostjv.exe

C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe
"C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"
4⤵
- Executes dropped EXE
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 1132
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
MD5
183d8e2e66b0cc0b44199f82bcac409f

SHA1
800b313a0c2dad044112e66d7f430cb30371a9fc

SHA256
2be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2

SHA512
e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe
MD5
183d8e2e66b0cc0b44199f82bcac409f

SHA1
800b313a0c2dad044112e66d7f430cb30371a9fc

SHA256
2be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2

SHA512
e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe
MD5
bc3e3ff5d9362e269d9ba267fe26497c

SHA1
52beeb5f353924f0b0e539003fda2cb2f9d1f6f5

SHA256
01cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29

SHA512
cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28

Download Submit
memory/720-19-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/720-22-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/720-20-0x000000000043FA56-mapping.dmp

Download
memory/2600-13-0x00000000033A0000-0x00000000033BF000-memory.dmp

Filesize
124KB

Download
memory/2600-12-0x0000000003380000-0x0000000003397000-memory.dmp

Filesize
92KB

Download
memory/2600-14-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/2600-15-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2600-16-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/2600-17-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2600-18-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/2600-11-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2600-9-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2600-8-0x00000000729C0000-0x00000000730AE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-5-0x0000000000000000-mapping.dmp

Download
memory/3012-23-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3712-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads