raccoon | 2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8

General

Target

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe
Size

18.6MB
MD5

acae63bd282eddc81ba34df297f7acd1
SHA1

6b315d895b86b90da5a3c705c4c0c483a587e691
SHA256

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8
SHA512

5bc0e63df4201c160d0ae4b466b74d891a74d4b62f88850c7fe2c63e21644fdc45f09d43bf74578e2c331f09c23e653fe8337b73dca41b04087eeb71a9c79cf0

Score

10^/10

raccoon 01477de985736a9649ba17ce7a0e68e3dc416fa9 stealer

Malware Config

Extracted

Family

raccoon

Botnet

01477de985736a9649ba17ce7a0e68e3dc416fa9

Attributes

url4cnc
https://telete.in/jmaybech

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-153-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4832-155-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4832-156-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4832-157-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 5 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmpRevo.Uninstaller.Pro.4.3.3.exef039239f.exeRevo.Uninstaller.Pro.4.3.3.tmpf039239f.exe

pid	process
3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
480	Revo.Uninstaller.Pro.4.3.3.exe
2120	f039239f.exe
4876	Revo.Uninstaller.Pro.4.3.3.tmp
4832	f039239f.exe

Loads dropped DLL 1 IoCs

Processes:

f039239f.exe

pid process

2120 f039239f.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

f039239f.exe

description pid process target process

PID 2120 set thread context of 4832 2120 f039239f.exe f039239f.exe

pid	process
2120	f039239f.exe

description	pid	process	target process
PID 2120 set thread context of 4832	2120	f039239f.exe	f039239f.exe

Drops file in Program Files directory 5 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
File opened for modification	C:\Program Files (x86)\Windows NT\f039239f.exe	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
File created	C:\Program Files (x86)\Microsoft KB64513\is-IU47L.tmp	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
File created	C:\Program Files (x86)\Windows NT\is-9N6NE.tmp	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
File created	C:\Program Files (x86)\Windows NT\is-VG5JK.tmp	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmpOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmpf039239f.exe

pid	process
3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
2120	f039239f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f039239f.exe

description pid process

Token: SeDebugPrivilege 2120 f039239f.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp

pid process

3428 2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4200 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	2120	f039239f.exe

pid	process
4200	OpenWith.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmpRevo.Uninstaller.Pro.4.3.3.exef039239f.exe

description	pid	process	target process
PID 3176 wrote to memory of 3428	3176	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
PID 3176 wrote to memory of 3428	3176	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
PID 3176 wrote to memory of 3428	3176	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
PID 3428 wrote to memory of 480	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	Revo.Uninstaller.Pro.4.3.3.exe
PID 3428 wrote to memory of 480	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	Revo.Uninstaller.Pro.4.3.3.exe
PID 3428 wrote to memory of 480	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	Revo.Uninstaller.Pro.4.3.3.exe
PID 3428 wrote to memory of 2120	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	f039239f.exe
PID 3428 wrote to memory of 2120	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	f039239f.exe
PID 3428 wrote to memory of 2120	3428	2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp	f039239f.exe
PID 480 wrote to memory of 4876	480	Revo.Uninstaller.Pro.4.3.3.exe	Revo.Uninstaller.Pro.4.3.3.tmp
PID 480 wrote to memory of 4876	480	Revo.Uninstaller.Pro.4.3.3.exe	Revo.Uninstaller.Pro.4.3.3.tmp
PID 480 wrote to memory of 4876	480	Revo.Uninstaller.Pro.4.3.3.exe	Revo.Uninstaller.Pro.4.3.3.tmp
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe
PID 2120 wrote to memory of 4832	2120	f039239f.exe	f039239f.exe

C:\Users\Admin\AppData\Local\Temp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe
"C:\Users\Admin\AppData\Local\Temp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\is-9BNSO.tmp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9BNSO.tmp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp" /SL5="$9004C,18722675,848384,C:\Users\Admin\AppData\Local\Temp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3428

C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe
"C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\Temp\is-06UR6.tmp\Revo.Uninstaller.Pro.4.3.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-06UR6.tmp\Revo.Uninstaller.Pro.4.3.3.tmp" /SL5="$101F4,16350626,188928,C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe"
4⤵
- Executes dropped EXE
PID:4876

C:\Program Files (x86)\Windows NT\f039239f.exe
"C:\Program Files (x86)\Windows NT\f039239f.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files (x86)\Windows NT\f039239f.exe
"C:\Program Files (x86)\Windows NT\f039239f.exe"
4⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe
Filesize
16.1MB

MD5
1540ebe79933021c71b37d11ca590c6e

SHA1
5c3f54e29894d5d973e5a06d9b9cf53f723bcacf

SHA256
4c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a

SHA512
43ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5

Download Submit
C:\Program Files (x86)\Microsoft KB64513\Revo.Uninstaller.Pro.4.3.3.exe
Filesize
16.1MB

MD5
1540ebe79933021c71b37d11ca590c6e

SHA1
5c3f54e29894d5d973e5a06d9b9cf53f723bcacf

SHA256
4c4258c10a1e7a0e7ab5529e68467cf23f5835621cff6dae204da456858d622a

SHA512
43ffc343ac95b52d62f2e918e8c5d7a65fd59a5f165643dbfadc4610b50d1460bdf561ab6ac0c02aa587abc0992acbaa2af6ef73f1b2ac75371d6d30292bb2d5

Download Submit
C:\Program Files (x86)\Windows NT\f039239f.exe
Filesize
1.8MB

MD5
498ee8e0a622a28f152d477ebf142d6e

SHA1
8dc76e53a1dab943ee04f74b60be5e993fc74dbe

SHA256
551a34381ee16c60338b979253f2e760e9025db180cf97b81fdb7cccbc5ab6fe

SHA512
6f0b51f0da103c2a445a13cf12d0c1c71060551bf5444434f88bef951a2cae91f93e7ae097bc92275cdf6f8eeb22beb965dd88e30a88ce9ec3cca3d4701a3820

Download Submit
C:\Program Files (x86)\Windows NT\f039239f.exe
Filesize
1.8MB

MD5
498ee8e0a622a28f152d477ebf142d6e

SHA1
8dc76e53a1dab943ee04f74b60be5e993fc74dbe

SHA256
551a34381ee16c60338b979253f2e760e9025db180cf97b81fdb7cccbc5ab6fe

SHA512
6f0b51f0da103c2a445a13cf12d0c1c71060551bf5444434f88bef951a2cae91f93e7ae097bc92275cdf6f8eeb22beb965dd88e30a88ce9ec3cca3d4701a3820

Download Submit
C:\Program Files (x86)\Windows NT\f039239f.exe
Filesize
1.8MB

MD5
498ee8e0a622a28f152d477ebf142d6e

SHA1
8dc76e53a1dab943ee04f74b60be5e993fc74dbe

SHA256
551a34381ee16c60338b979253f2e760e9025db180cf97b81fdb7cccbc5ab6fe

SHA512
6f0b51f0da103c2a445a13cf12d0c1c71060551bf5444434f88bef951a2cae91f93e7ae097bc92275cdf6f8eeb22beb965dd88e30a88ce9ec3cca3d4701a3820

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-06UR6.tmp\Revo.Uninstaller.Pro.4.3.3.tmp
Filesize
1.2MB

MD5
d0bf64e27284709966a4e2efef3233ef

SHA1
f3d6c99e57ae9dda35fc24bbf4c1eb1e08a875f0

SHA256
2019350b1451f4653d27c33b1c034155ce81534f318cd2e3591dd2ee73c77f09

SHA512
4ef3c96a47327c6a061b3b71451018e83936670efd7eb17d60b5a834218ae39614d8c68cb2c0b31a423742a6d8e41eabcecea3e13d5fad728f8745bd9dc2984b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9BNSO.tmp\2ed43f85bed23891c761f22ed421c005ba4551fb67d4355bcacd56a7270871c8.tmp
Filesize
2.5MB

MD5
cf332a6cc7a11f07445e5c83453b03dc

SHA1
69f4ff246361e4c601130b3d1419a6831d6af3b1

SHA256
4386798103acce7553b34c364f27e21e584e58afa6403702387813f6bae244b4

SHA512
a2b5ae8acda93c362d4d96f11c497647e7b6c06ed76663475006d4bacf0f15c7e7ec572241e8c528335f51dab49c64ec6aa085fb0144a29eb3fb9520a88e35f8

Download Submit
memory/480-146-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/480-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/480-135-0x0000000000000000-mapping.dmp

Download
memory/2120-151-0x00000000725A0000-0x0000000072629000-memory.dmp

Filesize
548KB

Download
memory/2120-140-0x0000000000000000-mapping.dmp

Download
memory/2120-145-0x0000000000170000-0x0000000000346000-memory.dmp

Filesize
1.8MB

Download
memory/2120-147-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/2120-148-0x0000000005230000-0x0000000005274000-memory.dmp

Filesize
272KB

Download
memory/2120-149-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/3176-132-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3176-130-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3428-133-0x0000000000000000-mapping.dmp

Download
memory/4832-152-0x0000000000000000-mapping.dmp

Download
memory/4832-153-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4832-155-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4832-156-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4832-157-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4876-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads