raccoon | 0ecb8ecf9516eba75d193a532fbbd5acd5d5c8794eb69c97110a911323c65584

General

Target

updatechannel3.exe
Size

12KB
MD5

4f50605a46c47d765ff37b8751760505
SHA1

61644ff438213b0d3bd7d439f538278f09c45ee5
SHA256

0ecb8ecf9516eba75d193a532fbbd5acd5d5c8794eb69c97110a911323c65584
SHA512

1a4c5f186213de6a48d1c4d94419efd460babb927482628578c6749cf6b8cb4e06caf854d5a8b14ee9b432585364e5051563b41d1d6810103a6a2a2fe1835e56

Score

10^/10

raccoon 3d7990f080e9dcb56104447e3789dec4380efc8b discovery persistence spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

3d7990f080e9dcb56104447e3789dec4380efc8b

Attributes

url4cnc
https://telete.in/jvadikkamushkin

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

txNV8lUmrL5MZGY0vfhAAwyk.exe3UpGTFZVNboVxGDX2x4ob3CN.exe

pid process

2236 txNV8lUmrL5MZGY0vfhAAwyk.exe
3092 3UpGTFZVNboVxGDX2x4ob3CN.exe
Loads dropped DLL 1 IoCs

Processes:

3UpGTFZVNboVxGDX2x4ob3CN.exe

pid process

3092 3UpGTFZVNboVxGDX2x4ob3CN.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2236	txNV8lUmrL5MZGY0vfhAAwyk.exe
3092	3UpGTFZVNboVxGDX2x4ob3CN.exe

pid	process
3092	3UpGTFZVNboVxGDX2x4ob3CN.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\jTQWprYmh0fMVg8m7Oyv3BaaQWLYa0r6 = "C:\\Users\\Admin\\Documents\\txNV8lUmrL5MZGY0vfhAAwyk.exe"	updatechannel3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgfQ2ZTYcloFyyU5uo2S0tWFQ6M2M106 = "C:\\Users\\Admin\\AppData\\Roaming\\3UpGTFZVNboVxGDX2x4ob3CN.exe"	txNV8lUmrL5MZGY0vfhAAwyk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xbnGjNrAeDVFpgWozdkbOXxDJZA6MbMl = "C:\\Users\\Admin\\AppData\\Roaming\\DdGamEekZycyqUmKcJYVGHpo.exe"	txNV8lUmrL5MZGY0vfhAAwyk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsSWKOWg62xxXRaujhDtQYsanj6JNvxD = "C:\\Users\\Admin\\AppData\\Roaming\\kdKccOCLGrGXjVZx7Uj5J9DV.exe"	txNV8lUmrL5MZGY0vfhAAwyk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4452 timeout.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exe

description pid process

Token: SeDebugPrivilege 4704 updatechannel3.exe
Token: SeDebugPrivilege 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe

pid	process
4452	timeout.exe

description	pid	process
Token: SeDebugPrivilege	4704	updatechannel3.exe
Token: SeDebugPrivilege	2236	txNV8lUmrL5MZGY0vfhAAwyk.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exe3UpGTFZVNboVxGDX2x4ob3CN.execmd.exe

description	pid	process	target process
PID 4704 wrote to memory of 2236	4704	updatechannel3.exe	txNV8lUmrL5MZGY0vfhAAwyk.exe
PID 4704 wrote to memory of 2236	4704	updatechannel3.exe	txNV8lUmrL5MZGY0vfhAAwyk.exe
PID 2236 wrote to memory of 3092	2236	txNV8lUmrL5MZGY0vfhAAwyk.exe	3UpGTFZVNboVxGDX2x4ob3CN.exe
PID 2236 wrote to memory of 3092	2236	txNV8lUmrL5MZGY0vfhAAwyk.exe	3UpGTFZVNboVxGDX2x4ob3CN.exe
PID 2236 wrote to memory of 3092	2236	txNV8lUmrL5MZGY0vfhAAwyk.exe	3UpGTFZVNboVxGDX2x4ob3CN.exe
PID 3092 wrote to memory of 4500	3092	3UpGTFZVNboVxGDX2x4ob3CN.exe	cmd.exe
PID 3092 wrote to memory of 4500	3092	3UpGTFZVNboVxGDX2x4ob3CN.exe	cmd.exe
PID 3092 wrote to memory of 4500	3092	3UpGTFZVNboVxGDX2x4ob3CN.exe	cmd.exe
PID 4500 wrote to memory of 4452	4500	cmd.exe	timeout.exe
PID 4500 wrote to memory of 4452	4500	cmd.exe	timeout.exe
PID 4500 wrote to memory of 4452	4500	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\updatechannel3.exe
"C:\Users\Admin\AppData\Local\Temp\updatechannel3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe
"C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe
"C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe
MD5
28345a7bb63babaf99e760965ce493b7

SHA1
7e752390f6ebca4e1e8889302549be4dd0845f62

SHA256
f9349585a2393d4378e283e73fc48d04941666ec0ccae4dd2fb68c2cad7ac9a1

SHA512
d0692febe87dafca3db8b8934003f3b3c7d9bddd3761c60c4945878787b410b581eea042cb133dd255ab4f41e473f43571d45612eaedcc3508a49b63c4594ce5

Download Submit
C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe
MD5
28345a7bb63babaf99e760965ce493b7

SHA1
7e752390f6ebca4e1e8889302549be4dd0845f62

SHA256
f9349585a2393d4378e283e73fc48d04941666ec0ccae4dd2fb68c2cad7ac9a1

SHA512
d0692febe87dafca3db8b8934003f3b3c7d9bddd3761c60c4945878787b410b581eea042cb133dd255ab4f41e473f43571d45612eaedcc3508a49b63c4594ce5

Download Submit
C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe
MD5
6be41709f8bfbf06307cc56d04249801

SHA1
911d8ade72bef752233237351fbdb7a9f96e2cf0

SHA256
0099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383

SHA512
8bc24e5f249ec4184ffba0db11dfcd7fc6bc7eae13af6ef8032abb0805f6fb61312759e7b5c46aa55a5d983e97148e3a071daec1fc38620baf4440a01c11150a

Download Submit
C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe
MD5
6be41709f8bfbf06307cc56d04249801

SHA1
911d8ade72bef752233237351fbdb7a9f96e2cf0

SHA256
0099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383

SHA512
8bc24e5f249ec4184ffba0db11dfcd7fc6bc7eae13af6ef8032abb0805f6fb61312759e7b5c46aa55a5d983e97148e3a071daec1fc38620baf4440a01c11150a

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/2236-13-0x0000000002EA0000-0x0000000002EA2000-memory.dmp

Filesize
8KB

Download
memory/2236-7-0x0000000000000000-mapping.dmp

Download
memory/2236-10-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-11-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3092-19-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3092-14-0x0000000000000000-mapping.dmp

Download
memory/3092-17-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/3092-18-0x0000000001D30000-0x0000000001DC1000-memory.dmp

Filesize
580KB

Download
memory/4452-22-0x0000000000000000-mapping.dmp

Download
memory/4500-21-0x0000000000000000-mapping.dmp

Download
memory/4704-5-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4704-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/4704-6-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/4704-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing