Overview

overview

10

Static

static

setup.exe

windows7-x64

1

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    75s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    728.2MB

  • MD5

    638f6d4d8de4a680a2f3e1c7c760d7e2

  • SHA1

    926091f5e95263b9eed4c059fc2841e22339bb53

  • SHA256

    4b9dbcd9bebacee97e2d97d4d3b648bdada5ffd391ae1c31b36bff5066884e45

  • SHA512

    f83045c22af503eb23ef66208ad6474ec41293bf1c3764d66f9ff039579f02a46d5887a21f3751a31df65d13d6c730cea69f3ddccf0f4cef03495605e7c6084f

  • SSDEEP

    196608:xW4Es4CSLvvC/KHJ3tffLVAnz6hMDLT6KWNiUEq:zJSLvvW4BhjSnei1AiUT

Score
10/10
raccoonf26f614d4c0bc2bcd6601785661fb5cfdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

f26f614d4c0bc2bcd6601785661fb5cf

C2

http://77.73.134.82

http://83.217.11.23
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Roaming\35M9Xth7.exe
      "C:\Users\Admin\AppData\Roaming\35M9Xth7.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\ProgramData\TemplatesDocuments-type8.9.1.9\TemplatesDocuments-type8.9.1.9.exe
        "C:\ProgramData\TemplatesDocuments-type8.9.1.9\TemplatesDocuments-type8.9.1.9.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1668
    • C:\Users\Admin\AppData\Local\Temp\35IIE57s.exe
      "C:\Users\Admin\AppData\Local\Temp\35IIE57s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\35IIE57s.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:3720

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\TemplatesDocuments-type8.9.1.9\TemplatesDocuments-type8.9.1.9.exe
      Filesize

      142.8MB

      MD5

      fc00727de835fad1c296e2899220074c

      SHA1

      2a83993aa50c734906b23787d098e90db86173a4

      SHA256

      8481ebe64e4a21e1727d5707f0663efa87ff107be87feba4f2e93c2d9088341c

      SHA512

      afa4391096de6511334d15e413b8ad88fc87e7ecd1388dd3c5f109cfdf4ca9900e18d54e04ef43851d7a868f1984795d1334a183ea9e2303cb87c5b9e18e2c0a

      Download Submit
    • C:\ProgramData\TemplatesDocuments-type8.9.1.9\TemplatesDocuments-type8.9.1.9.exe
      Filesize

      141.3MB

      MD5

      bfdce98e042181134d1e14200e3d6496

      SHA1

      fa421647a2a39b4f01ce7ece57932d08b1eb7806

      SHA256

      c60b2fc85b37b4f406a7155b7b9f0df75e1449e3d1297dc9737b471e4cb5064a

      SHA512

      778d2cfb391626cb45ceedf39f7a57f234de6d14c782a7ba32bdc5ce2202b5adac61f2b76ee1d896fed762ce04f8432d0494a3cc8a8c591452d5b2cfc76e45f2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\mozglue.dll
      Filesize

      612KB

      MD5

      f07d9977430e762b563eaadc2b94bbfa

      SHA1

      da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

      SHA256

      4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

      SHA512

      6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\nss3.dll
      Filesize

      1.9MB

      MD5

      f67d08e8c02574cbc2f1122c53bfb976

      SHA1

      6522992957e7e4d074947cad63189f308a80fcf2

      SHA256

      c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

      SHA512

      2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
      Filesize

      1.0MB

      MD5

      dbf4f8dcefb8056dc6bae4b67ff810ce

      SHA1

      bbac1dd8a07c6069415c04b62747d794736d0689

      SHA256

      47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

      SHA512

      b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\35IIE57s.exe
      Filesize

      7.4MB

      MD5

      0af814821cb254e4d0bcf37ba3a2e5e8

      SHA1

      370cb64323444508d45e0060d1887929dc3eaacf

      SHA256

      7841746c54c53dbcafdf3f357c7a84b90fe3b089e07f30dea15ef6f7f15b0f00

      SHA512

      1e2dce182b667c789b38ca6f97772df97f410f61fc587c5b1b3e0d6801d9b0fb0bb8fb956dbe1f600d688fe6ec31850873ab565d0d938dbc2cef8041b8e24c20

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\35IIE57s.exe
      Filesize

      7.4MB

      MD5

      0af814821cb254e4d0bcf37ba3a2e5e8

      SHA1

      370cb64323444508d45e0060d1887929dc3eaacf

      SHA256

      7841746c54c53dbcafdf3f357c7a84b90fe3b089e07f30dea15ef6f7f15b0f00

      SHA512

      1e2dce182b667c789b38ca6f97772df97f410f61fc587c5b1b3e0d6801d9b0fb0bb8fb956dbe1f600d688fe6ec31850873ab565d0d938dbc2cef8041b8e24c20

      Download Submit
    • C:\Users\Admin\AppData\Roaming\35M9Xth7.exe
      Filesize

      10.7MB

      MD5

      17ff5c0e8cb97f073485f19fb2609bff

      SHA1

      5d5c44242f1393d9b8d8be4802c493f99a733644

      SHA256

      44e64fc7ad04e48dc95953d5000b539ceed71828f1ea71215ff6d60588a96203

      SHA512

      fca01b4b71852c4dd939407de834546f0e9e1f715d33a26b9f6f2a5821f315d682dd53f05e96b5cffe264aa81f5e8de4694c49c3606848c9003bbe009972c4cf

      Download Submit
    • C:\Users\Admin\AppData\Roaming\35M9Xth7.exe
      Filesize

      10.7MB

      MD5

      17ff5c0e8cb97f073485f19fb2609bff

      SHA1

      5d5c44242f1393d9b8d8be4802c493f99a733644

      SHA256

      44e64fc7ad04e48dc95953d5000b539ceed71828f1ea71215ff6d60588a96203

      SHA512

      fca01b4b71852c4dd939407de834546f0e9e1f715d33a26b9f6f2a5821f315d682dd53f05e96b5cffe264aa81f5e8de4694c49c3606848c9003bbe009972c4cf

      Download Submit
    • memory/1668-161-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/1668-160-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/1668-157-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/1668-152-0x0000000000000000-mapping.dmp
      Download
    • memory/3720-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3748-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3748-148-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/3748-151-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/3748-156-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/3748-141-0x0000000140000000-0x000000014110F000-memory.dmp
      Filesize

      17.1MB

      Download
    • memory/4404-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4616-146-0x0000000000000000-mapping.dmp
      Download
    • memory/4872-137-0x0000000000400000-0x0000000000FDC000-memory.dmp
      Filesize

      11.9MB

      Download
    • memory/4872-145-0x0000000000400000-0x0000000000FDC000-memory.dmp
      Filesize

      11.9MB

      Download
    • memory/4872-132-0x0000000000400000-0x0000000000FDC000-memory.dmp
      Filesize

      11.9MB

      Download