raccoon | 2c7f86463ea0fbf195720c48288ec7fe03abec474b210865255bcf50e6108d94

Analysis

max time kernel
132s
max time network
125s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-11-2022 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416/442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
Size

4.9MB
MD5

219bb798c25ca37572626da432a34c7f
SHA1

57ec641c709495090ddc9c4fb32edd2a067260e8
SHA256

442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571
SHA512

95ade4c8d7f18514a786f2d17d9499f6f2b1b9289fd77efd77eceaa6275bf8197b5461d91434612031ce8d80e7c5a9eaacccee1262d022720e6ce34483ecfdc5
SSDEEP

49152:Kkriz5EgVfFuVx3J4feF48vdtgjUiNaWuwfGi4gblMejACsKa43wVrMVnd7btHf:KmMEg9nf+tltBWahdCjvD3wVraX

Score

10^/10

raccoon 517bb0d640c1242c3f069aab3d1018d6 stealer

Malware Config

Extracted

Family

raccoon

Botnet

517bb0d640c1242c3f069aab3d1018d6

http://51.195.166.178/

http://5.252.177.22

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe

description	pid	process	target process
PID 1504 set thread context of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1112 powershell.exe

pid	process
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
Token: SeDebugPrivilege	1112	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe

C:\Users\Admin\AppData\Local\Temp\416\442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
"C:\Users\Admin\AppData\Local\Temp\416\442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\416\442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
C:\Users\Admin\AppData\Local\Temp\416\442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
2⤵
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-72-0x0000000000408597-mapping.dmp

Download
memory/948-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1112-60-0x000000006EC80000-0x000000006F22B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-62-0x000000006EC80000-0x000000006F22B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-58-0x0000000000000000-mapping.dmp

Download
memory/1112-61-0x000000006EC80000-0x000000006F22B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-54-0x0000000001200000-0x00000000016E8000-memory.dmp

Filesize
4.9MB

Download
memory/1504-56-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000000B80000-0x0000000000C62000-memory.dmp

Filesize
904KB

Download
memory/1504-57-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download

description	pid	process	target process
PID 1504 wrote to memory of 1112	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	powershell.exe
PID 1504 wrote to memory of 1112	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	powershell.exe
PID 1504 wrote to memory of 1112	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	powershell.exe
PID 1504 wrote to memory of 1112	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	powershell.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe
PID 1504 wrote to memory of 948	1504	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe	442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.exe