8b8524d99c41e32912669ff4be7aba713495ad3fc03e345c5a7e16d473718e48

Sharing

Copy URL

Twitter E-mail

General

Target

Raccine.zip
Size

99.9MB
Sample

210806-3a93d4159a
MD5

c31efac8f32904485a5e0d81363a67fc
SHA1

1405480d18123ed0002387aad74c4a553b52dffc
SHA256

8b8524d99c41e32912669ff4be7aba713495ad3fc03e345c5a7e16d473718e48
SHA512

febb2c26df92a4a97eee4f0fe3065b5d463b305abf6f461ca878345d2a2da35684a4c3ac7368636b799d3158964c5a4c4c16cc65d588cfdcc11bb3983fb41f74

Score

10^/10

discovery persistence

Malware Config

Targets

- Target
  
  Raccine/Raccine.exe
- Size
  
  382KB
- MD5
  
  287f6cfbffd83b75a0f8f749b0f636f3
- SHA1
  
  5769f38bf61cab67a410ebf5e615ab008bf74a88
- SHA256
  
  e5364ce4bd1814e003215bff10dd2f191c33199260dfd2688d4f6cce4a7c75b8
- SHA512
  
  02380b27e955ed74cc4bbdc112b3bb91e0c049baa567b362ca5db2d2e1e9f988ebac60bc00619a5201f56eea39cae31071445906426723daa47f0bb294f7bc09
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1
- Target
  
  Raccine/RaccineElevatedCfg.exe
- Size
  
  90KB
- MD5
  
  3f3708857d63f18c1c647a59d282f55e
- SHA1
  
  80afa6f3102a1e0f237f8d2163c1129004dfd843
- SHA256
  
  2ea9a0b9956fc315abc9dee68c2763c050ec630bb1617b4d5216db785da96e27
- SHA512
  
  95d20388e9ee4bef1c4efc340d4b4f89a12710dd61967975e5b1e93b176d1ea0934dbe9fa7365dac643d2f2260aa9ed05a4f21abfd52cadfa432040961d53fa1
Score

1^/10
behavioral2
- Target
  
  Raccine/RaccineRulesSync.exe
- Size
  
  12KB
- MD5
  
  238ed776c03ddd1feb1e3b3a024e5f33
- SHA1
  
  f5d2cb5906f72d8692a5555c9bba887354613bca
- SHA256
  
  d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7
- SHA512
  
  9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076
Score

1^/10
behavioral3
- Target
  
  Raccine/RaccineSettings.exe
- Size
  
  96KB
- MD5
  
  29befacee533f2fefb428c39412df12c
- SHA1
  
  179545ba0f23a84ec2506fb743d5c9d3d0408f3a
- SHA256
  
  ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a
- SHA512
  
  51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d
Score

1^/10
behavioral4
- Target
  
  Raccine/Raccine_x86.exe
- Size
  
  324KB
- MD5
  
  6c8a8c4bc32e79840d50cb0a87c83b5e
- SHA1
  
  2f1eea6881a71cdef168675412b53c04dff01561
- SHA256
  
  aef89ecf82bea84200e94c7206386733a0bd82a8ae47a38fc5e2d14e0b601b48
- SHA512
  
  3277105f1711a3a62a55cc3d94f5be1e85b22644b3096ca91c5cae27f52fdf744ddbb0e65f2a8bd2bc70ec8737d58fde4753cd114bab5392b22feaec65f1cf32
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral5
- Target
  
  Raccine/install-raccine.bat
- Size
  
  10KB
- MD5
  
  be970aa8b06eb4dc9d2e83d31a1dcb8e
- SHA1
  
  150dfcff77b43ec46725680a268c0bc6e1950f83
- SHA256
  
  37aa4b39bb70e8a634e679276cbaf1db491d37f67843272ee1e6762797d7fb9c
- SHA512
  
  30c36e0c0d81b603790f96b514359cccad0cc1389c097dd8d10f2e5c9754d6d5a19531bea26a8270523a0e9b49ab11e42d67b9370b0719e373422edfc05aea4c
Score

1^/10
behavioral6
- Target
  
  Raccine/preqeq/NDP462-KB3151800-x86-x64-AllOS-ENU.exe
- Size
  
  59.1MB
- MD5
  
  9a5d647ee710af2b1aede329c40bbe1a
- SHA1
  
  a70f856bda33d45ad0a8ad035f73092441715431
- SHA256
  
  28886593e3b32f018241a4c0b745e564526dbb3295cb2635944e3a393f4278d4
- SHA512
  
  e183b33f93fd5f9aa93a1ec02103d2548ca22e3447ef2ceede89a5debefc4f2c20990567eb17afa412e0698d577adda373e433847ec8b79ec04be3c86edd9f0e
Score

1^/10
behavioral7
- Target
  
  Raccine/preqeq/vc_redist.x64.exe
- Size
  
  24.0MB
- MD5
  
  fb1cb75f59d98b5d1e1e31476cbe6f61
- SHA1
  
  10d155cef0ca585d94b24bc4be53c33dcbf91e7e
- SHA256
  
  a1592d3da2b27230c087a3b069409c1e82c2664b0d4c3b511701624702b2e2a3
- SHA512
  
  109f087ba2021e1ac85c404c202822f01dbc056acc933bf6ca30b67fc0f48711eb8f58ae15c4e4eb0693e80ecbd4fdf59df172244189c3f96fae1c329b77263e
Score

1^/10
behavioral8
- Target
  
  Raccine/preqeq/vc_redist.x86.exe
- Size
  
  13.5MB
- MD5
  
  7f5d52f979b732954e87c53dc9720fc0
- SHA1
  
  e99e5b17b0ad882833bbdc8cf798dc56f9947a5e
- SHA256
  
  ea92c3f93bc063d6da084faa854c131e37f1f2cb585cd1e62a3df9e03eacadff
- SHA512
  
  7104b2519c9b0edd4db9b6caf7ad1e4586be6bc64144048df747ff9625196397c249ca1e51562a24e68da863a05c7e0893ed54fd52fb117f60d05bb8b834d512
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral9
- Target
  
  Raccine/scripts/windows-hardening.bat
- Size
  
  32KB
- MD5
  
  45b6baf36e2cb69bb2c1a605756e42b4
- SHA1
  
  0e3b89708529a3fb1a97dcfb7fad4f27dd8a4b80
- SHA256
  
  d0651644e6f5e8ba1082f9a1573d0d985821a5ae7f36d52baa2dd224bf052905
- SHA512
  
  df790ddc9d82ddf345fe2a65f970b4e0e770448badaa6d675bebe3caff0e6b5d4911af4a7953e2d2d28d65d4a8c6cf2592d5f8f4edc3b91169e22a46a39e5110
Score

8^/10

discovery persistence
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10
- Target
  
  Raccine/yara/yara32.exe
- Size
  
  1.4MB
- MD5
  
  3c925b83553cb7c6178622583c400a0e
- SHA1
  
  361374efb75d6fe4510f529cb5a30e4159625b00
- SHA256
  
  e61f4b167e36da4e2fd182bb6764c174954816e72b27f65d33ae302bc8fcc92a
- SHA512
  
  1e8027b13dc39190018e63da515985960acecb25758a8c0df5dfb7b5fb231fb0ab794763e1907bdb28ddfc5e2be29817f5a54fa3221a5910747bb7360168537e
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral11
- Target
  
  Raccine/yara/yara64.exe
- Size
  
  2.1MB
- MD5
  
  21f3213da30e04e7eae6ab37873d96ed
- SHA1
  
  6f8e0f36136048bc11ad67c438188ae7c8cc493b
- SHA256
  
  63e9d2febb3705d5c9bc7489bcec2b957aaef8a5d13d0ebaedc65965d65947e6
- SHA512
  
  793e8f063b113a1a5cfe49281b895d0f9eba89874c331a1c0ff273ac374464e073bb6ebec8ba860900a4faf8e234b853f689b051a5cd9cb478f9eff702606598
Score

8^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral12
- Target
  
  Raccine/yara/yarac32.exe
- Size
  
  1.3MB
- MD5
  
  85aad79e102c92c2366e1448e26a88c6
- SHA1
  
  3ad4460e83c6e44424686f579e054833f6786114
- SHA256
  
  54f709ad06437bbdad56caa66ebd9236dc1b20f69b9eebb983ab99ef0bee4257
- SHA512
  
  3b9d0bbe72e5d6ce4e6ec627ff64afe255fd9b646a0307b28c11ef18f70222d9282e0ac4e7bfe1ee00fb8c05e9dff708c8545856a784360d93b8a2d3cb6f9a51
Score

7^/10

discovery
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral13
- Target
  
  Raccine/yara/yarac64.exe
- Size
  
  2.0MB
- MD5
  
  dd9eafefeb540c79e33d405341271316
- SHA1
  
  e6f216dc91072c3f235e35df55ec904a475fdaa6
- SHA256
  
  4f7eb7510796d4a83935628c208f63c953631678d27e610d4d482bbeb1b33f4d
- SHA512
  
  bce15ab61e6768722b5a020589441ab605c4960f3a7454535c5d1e8fca879c8b42bc994954bf936df0e55caa7be9a65cb00a99e1621b339ad0249ad6193ade92
Score

1^/10
behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Enumerates connected drives

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Sets file execution options in registry

Modifies file permissions

Adds Run key to start application

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Loads dropped DLL

Checks installed software on the system

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14