raccoon | b297a76de5182907a69a878cf161ca65b274152eb92a9d9591248ac4f5494dcf

Resubmissions

20-02-2023 05:56

230220-gm5ehshc71 10

20-02-2023 05:51

230220-gkf9xahc7z 1

Analysis

max time kernel
392s
max time network
440s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-02-2023 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MDE_File_Sample_0a.zip
Size

1.4MB
MD5

969c76c606bd18792bc2acb3944d76c1
SHA1

9df39202fdb533508c51b9efcc3eb169a10d8c1b
SHA256

b297a76de5182907a69a878cf161ca65b274152eb92a9d9591248ac4f5494dcf
SHA512

6100009f7fc88bc22e7be41bbdc3fc8b1a4ba24fbe59abbe84646c5f2eafb84aab6cfbbfa3e4d199e308660f4dd35be3fc01afaeb70a61c4d823b044d37a3ac3
SSDEEP

24576:+hBNa4T6AUdB9fPGMmEOtIX8OxJNzmtXdBJTJyyZwn8cMV0VGkK122VNei2j5cne:+vBUf9TmEOtwFNSnBryyOnCyVGkK1f2b

Score

10^/10

raccoon ae72a9288d2ce774d14ddadddb8258c1 stealer

Malware Config

Extracted

Family

raccoon

Botnet

ae72a9288d2ce774d14ddadddb8258c1

http://83.217.11.11/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 5 IoCs

Processes:

Setup.exeSetup.exeSetup.exeSetup.exeSetup.exe

pid process

4848 Setup.exe
3488 Setup.exe
2808 Setup.exe
772 Setup.exe
1248 Setup.exe

pid	process
4848	Setup.exe
3488	Setup.exe
2808	Setup.exe
772	Setup.exe
1248	Setup.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Setup.exeSetup.exe

description	pid	process	target process
PID 4848 set thread context of 3488	4848	Setup.exe	Setup.exe
PID 2808 set thread context of 1248	2808	Setup.exe	Setup.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4764 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

2808 Setup.exe
2808 Setup.exe

pid	process
4764	NOTEPAD.EXE

pid	process
2808	Setup.exe
2808	Setup.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exe7zG.exeSetup.exe

description	pid	process
Token: SeRestorePrivilege	4740	7zG.exe
Token: 35	4740	7zG.exe
Token: SeSecurityPrivilege	4740	7zG.exe
Token: SeSecurityPrivilege	4740	7zG.exe
Token: SeRestorePrivilege	4748	7zG.exe
Token: 35	4748	7zG.exe
Token: SeSecurityPrivilege	4748	7zG.exe
Token: SeSecurityPrivilege	4748	7zG.exe
Token: SeDebugPrivilege	2808	Setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

4740 7zG.exe
4748 7zG.exe

pid	process
4740	7zG.exe
4748	7zG.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Setup.exeSetup.exe

description	pid	process	target process
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 4848 wrote to memory of 3488	4848	Setup.exe	Setup.exe
PID 2808 wrote to memory of 772	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 772	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 772	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe
PID 2808 wrote to memory of 1248	2808	Setup.exe	Setup.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a.zip
1⤵
PID:2728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\" -spe -an -ai#7zMap1162:116:7zEvent7569
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\" -an -ai#7zMap5376:128:7zEvent10173
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\langs\Korean.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:4764

C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe"
2⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe"
2⤵
- Executes dropped EXE
PID:772

C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe"
2⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.exe
Filesize
438.2MB

MD5
5b1914a62235a396b7caed0b6625dd97

SHA1
c53b265f1101cc775cc591d312de6072fa53ce6e

SHA256
e5b78dd4d31d810e37a8b53d20c3351afe8e6186d90abd026d1d051a6e39ddeb

SHA512
fd6f81bac09781d52221fb86d7f2def9b8fb1df80dee6757c9865a86c9ce48edda0ab1d5e452fc4fa3ccb1658bc1d5cb7d30a76b7360c4bb77b311f1f1d5b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\Setup.zip
Filesize
2.1MB

MD5
1c0e338fedd048d756fb05ebf9e7335d

SHA1
0af9a6504f7a0a374ab1b3708e4ac0eb7472b056

SHA256
807ac5cff37246787ccfa65ed01a0ae8e03ec7299a62b8b9b907551188e323d3

SHA512
f484ac8b3ceb3a983be585b784551bf7ad86559fff35fcc4524de89b0151a32853cccd4ea665d091699eade39ca0a8dc7b65d6ec030faa9c1ae2e5954fb8dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_0a\langs\Korean.ini
Filesize
91KB

MD5
efae0c78be2abe2920c78b9d4785ab45

SHA1
8c0799fb68852cb071bbe260deb4ab357bd5f4ed

SHA256
ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132

SHA512
44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8

Download Submit
memory/1248-343-0x00000000004088ED-mapping.dmp

Download
memory/1248-404-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2808-338-0x0000000004DE0000-0x0000000004DF6000-memory.dmp

Filesize
88KB

Download
memory/3488-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3488-201-0x00000000004088ED-mapping.dmp

Download
memory/4848-154-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-136-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-143-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-144-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-145-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-148-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-149-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-151-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-152-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-153-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-156-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-167-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-176-0x0000000005B40000-0x000000000603E000-memory.dmp

Filesize
5.0MB

Download
memory/4848-178-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/4848-180-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-183-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-185-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-187-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/4848-186-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/4848-184-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-195-0x00000000058E0000-0x00000000058F6000-memory.dmp

Filesize
88KB

Download
memory/4848-182-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-181-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-179-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-174-0x0000000000D40000-0x0000000000E58000-memory.dmp

Filesize
1.1MB

Download
memory/4848-172-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-165-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-163-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-155-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-122-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-119-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-196-0x0000000001280000-0x000000000128A000-memory.dmp

Filesize
40KB

Download
memory/4848-198-0x0000000007440000-0x00000000074BE000-memory.dmp

Filesize
504KB

Download
memory/4848-199-0x00000000074C0000-0x0000000007506000-memory.dmp

Filesize
280KB

Download