raccoon | 0379ee5acb117a629b1b0483986578dea456c2cc58b053a2a4a1f6666853908b

Analysis

max time kernel
155s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppSetup/Setup.exe
Size

733.1MB
MD5

d5bb80569e355d6e65de761d46b39da0
SHA1

8731c0883164cc951e3e80be5c64ef09400324a7
SHA256

213ec8ae881fbf7821c8e6574f37452bc6bb92f93ac634aa43adb5300138e614
SHA512

1b3593c746b79a056c15b7fe8c91c2f38685bb32eb924e34d94ba64c42cf41014ba52f2ef2bc8140837fb05f2fa04ffce92ca694c72faf9461cab88fbf805d9d
SSDEEP

393216:fCnzmUSYCLfqwNh5kbGUf/t1ow5QnBE6Ye:fJUSrLS8hObGUdf50a7e

Score

10^/10

raccoon 717609e6131226f92ce8ce08c34305be discovery persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

717609e6131226f92ce8ce08c34305be

http://45.9.74.170

http://77.73.134.43

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	LID405D5.exe

Executes dropped EXE 3 IoCs

pid	Process
1976	LID405D5.exe
4708	A6o86hd5.exe
4284	MicrosoftDocuments-tupe0.9.3.0.exe

Loads dropped DLL 3 IoCs

pid	Process
644	Setup.exe
644	Setup.exe
644	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002315a-185.dat	upx
behavioral2/files/0x000800000002315a-189.dat	upx
behavioral2/files/0x000800000002315a-188.dat	upx
behavioral2/memory/1976-190-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/1976-191-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/1976-192-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/1976-205-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/files/0x000700000002315d-212.dat	upx
behavioral2/files/0x000700000002315d-214.dat	upx
behavioral2/memory/1976-213-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/4284-216-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/4284-217-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/4284-218-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx
behavioral2/memory/4284-219-0x0000000140000000-0x0000000140A5A000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	LID405D5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftDocuments-tupe0.9.3.0 = "C:\\ProgramData\\MicrosoftDocuments-tupe0.9.3.0\\MicrosoftDocuments-tupe0.9.3.0.exe"	LID405D5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
644	Setup.exe
644	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	Setup.exe
644	Setup.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1976	644	Setup.exe	89
PID 644 wrote to memory of 1976	644	Setup.exe	89
PID 644 wrote to memory of 4708	644	Setup.exe	90
PID 644 wrote to memory of 4708	644	Setup.exe	90
PID 4708 wrote to memory of 4172	4708	A6o86hd5.exe	92
PID 4708 wrote to memory of 4172	4708	A6o86hd5.exe	92
PID 4172 wrote to memory of 4432	4172	cmd.exe	94
PID 4172 wrote to memory of 4432	4172	cmd.exe	94
PID 1976 wrote to memory of 4284	1976	LID405D5.exe	96
PID 1976 wrote to memory of 4284	1976	LID405D5.exe	96

C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\AppSetup\Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Roaming\LID405D5.exe
  "C:\Users\Admin\AppData\Roaming\LID405D5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\ProgramData\MicrosoftDocuments-tupe0.9.3.0\MicrosoftDocuments-tupe0.9.3.0.exe
    "C:\ProgramData\MicrosoftDocuments-tupe0.9.3.0\MicrosoftDocuments-tupe0.9.3.0.exe"
    3⤵
    - Executes dropped EXE
    PID:4284
- C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe
  "C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftDocuments-tupe0.9.3.0\MicrosoftDocuments-tupe0.9.3.0.exe

Filesize
749.3MB

MD5
7691e1a3c346c9c3edc928fc0bb7519f

SHA1
fb25a94dfc212f9c2a6554914e667ad5336817e2

SHA256
93fbb95a07f31179319500ee3feaad6ba1d5cc4f72ff4b3d23e55867773c0f61

SHA512
1a497498621cfb88940ce9cae71131343c5012a277f81ec97ad867570c2baf124918b3646969b08bd07e225adf631295f5aebc28a83db672566b322a420ba794

Download Submit
C:\ProgramData\MicrosoftDocuments-tupe0.9.3.0\MicrosoftDocuments-tupe0.9.3.0.exe

Filesize
749.3MB

MD5
7691e1a3c346c9c3edc928fc0bb7519f

SHA1
fb25a94dfc212f9c2a6554914e667ad5336817e2

SHA256
93fbb95a07f31179319500ee3feaad6ba1d5cc4f72ff4b3d23e55867773c0f61

SHA512
1a497498621cfb88940ce9cae71131343c5012a277f81ec97ad867570c2baf124918b3646969b08bd07e225adf631295f5aebc28a83db672566b322a420ba794

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe

Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe

Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6o86hd5.exe

Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Roaming\LID405D5.exe

Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
C:\Users\Admin\AppData\Roaming\LID405D5.exe

Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
C:\Users\Admin\AppData\Roaming\LID405D5.exe

Filesize
7.7MB

MD5
fa0e319484845c1333e5c1e621659027

SHA1
16c33976ef8a5aa1114f2bef9feea5007fa7491e

SHA256
d3d00022e02c57c638d7738e661be715aa74866d8b7495e74b72e0c0f75695dd

SHA512
a9769f0568ea6a05303e2eed6c93b7fab2dda8e9ae6d7d398270b0ef5c9b74884e84842c7b9566f38f772a06eee3a40609f8b412ff96544435a0c852ddb3ebed

Download Submit
memory/644-133-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/644-134-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/644-135-0x0000000000400000-0x0000000001B75000-memory.dmp

Filesize
23.5MB

Download
memory/644-187-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1976-205-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1976-192-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1976-191-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1976-190-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/1976-213-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/4284-216-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/4284-217-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/4284-218-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/4284-219-0x0000000140000000-0x0000000140A5A000-memory.dmp

Filesize
10.4MB

Download
memory/4708-204-0x0000000000700000-0x000000000154F000-memory.dmp

Filesize
14.3MB

Download