raccoon | 3d54a6953f64c1a2eb09aafa05445a7fea14e2564d4548b3b464d3c84a3c8b4f

Analysis

max time kernel
874s
max time network
882s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
22-03-2023 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LatestFullSetupV6-Pass-123.rar
Size

20.0MB
MD5

9b7fc34ce0e3167c089ec9d4e20bbb7c
SHA1

45bb57950a5540d34692fa72086a3af38c5359b5
SHA256

3d54a6953f64c1a2eb09aafa05445a7fea14e2564d4548b3b464d3c84a3c8b4f
SHA512

1f2e84a6430a9381402bc9ff12f82d20b036edb463b0303d9451fff7a9ae1ff9967d9ed52bf5d85b6e8b707b6c453ae5023867a0e37d7d0da1a028cf8dc32a37
SSDEEP

393216:ZSqx4SU1xXLH4wZPXyfYRqxdXHPRDwZc80S5TC5RKMabk2MMyRFR:ZShv1PPifZ3BGcxS5OHnabk9MM/

Score

10^/10

raccoon 1196de9cec79da84686d34883da05a1e stealer

Malware Config

Extracted

Family

raccoon

Botnet

1196de9cec79da84686d34883da05a1e

http://94.142.138.227/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 4 IoCs

Processes:

setup.exewdfvfghjikpotgvcdws.exewdfvfghjikpotgvcdws.exesetup.exe

pid process

1508 setup.exe
1432 wdfvfghjikpotgvcdws.exe
1620 wdfvfghjikpotgvcdws.exe
1728 setup.exe
Loads dropped DLL 6 IoCs

Processes:

setup.exesetup.exe

pid process

1508 setup.exe
1508 setup.exe
1508 setup.exe
1728 setup.exe
1728 setup.exe
1728 setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1508	setup.exe
1432	wdfvfghjikpotgvcdws.exe
1620	wdfvfghjikpotgvcdws.exe
1728	setup.exe

pid	process
1508	setup.exe
1508	setup.exe
1508	setup.exe
1728	setup.exe
1728	setup.exe
1728	setup.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

setup.exewdfvfghjikpotgvcdws.exewdfvfghjikpotgvcdws.exesetup.exe

pid process

1508 setup.exe
1432 wdfvfghjikpotgvcdws.exe
1620 wdfvfghjikpotgvcdws.exe
1728 setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1328 rundll32.exe

pid	process
1508	setup.exe
1432	wdfvfghjikpotgvcdws.exe
1620	wdfvfghjikpotgvcdws.exe
1728	setup.exe

pid	process
1328	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zG.exe7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	1380	7zG.exe
Token: 35	1380	7zG.exe
Token: SeSecurityPrivilege	1380	7zG.exe
Token: SeSecurityPrivilege	1380	7zG.exe
Token: SeRestorePrivilege	1344	7zG.exe
Token: 35	1344	7zG.exe
Token: SeSecurityPrivilege	1344	7zG.exe
Token: SeSecurityPrivilege	1344	7zG.exe
Token: 33	1244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1244	AUDIODG.EXE
Token: 33	1244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1244	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

1380 7zG.exe
1344 7zG.exe

pid	process
1380	7zG.exe
1344	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 1328	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1328	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1328	2028	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\LatestFullSetupV6-Pass-123.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\LatestFullSetupV6-Pass-123.rar
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\" -spe -an -ai#7zMap8342:110:7zEvent21712
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\" -spe -an -ai#7zMap8923:136:7zEvent21214
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe
"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe
"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
"C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile.rar
Filesize
20.0MB

MD5
b4bcae19add6d257f5156c341f50d832

SHA1
eb349e7fe392fb9219babbaf4d449df68306a702

SHA256
a0b30c253e872c4fbc520d0e10ef57bb5a6a51fad626183688e89817a06fe42a

SHA512
d9617b16ff473d3ba3597be4e8ed9283ed49a3e0c5580e6fde2ff60ea61ac934a42badde52aa305313e269a0324f0742f449d64dc28b0a8a2b8aa93f63441f10

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
728.8MB

MD5
2b67b30b02e93976a6f7baf79db70220

SHA1
f0b13d37d5845e9aa872e928695ffec6209026c8

SHA256
488f490a3c0a6d2b957fed419bb91d6ff2832268fb7eeb0056aefd9c719a099e

SHA512
04bcdbc116a717b4e72d39107051c062ad1dcb9dbb5ef7ddf0ba2fd9da5c2d4ff7443bca93063a62a03f10e873024956d9baf7ebe25304c5afe425fbb1384c37

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
725.7MB

MD5
9f6b049e9cbae2dd6d0825642a50f287

SHA1
90b617cf9fe463351c5872f720e221430a2d6e10

SHA256
ad92ac8e31fefe0e5a94907c4642a50fa397829e6e5b912afad02db13c24fe45

SHA512
aad2afe5ca82943fdb3dc74068d4b50fb661d87069b3cd3bf474cb372c08cc640a45432a45044e2127a98b9f3a2163937856f7b42c5801b3575d1d089110d350

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
730.3MB

MD5
5480f14d9bd775e4f68514eeac31a74b

SHA1
dab504a89ffeb43b901ba3e874ba8d4489d4efac

SHA256
f61c8f07a08c83c9ca1d42a7be9e9bd8475db0fb916537bbf63b706b87969472

SHA512
c1e189a61a71380c60f639a2c31eb3cebcfbf256392e7aeb6bf34e0bcdaa459b35d138b1bd35a1b85c16bc90d782778c251db9b36540c2c34bdc1bcdb3c1fa34

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe
Filesize
10.3MB

MD5
09c7f4901112e39b0863288b261a626b

SHA1
f9c4b5adc43a972d851039df6ca97bdd1a5ff29f

SHA256
e4f89ee858218ad17e47c1670c41f8b0e73753a7d3d38677eb6afa95473b7b42

SHA512
ccb2ace9e4d9adb2406f37326e14e8e5d0638202898cbeff272c97d10572e925f0c75ca7bf0f2057264bb2e03ff60f7bfa209912c836479e413f5a9247e7fb25

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe
Filesize
10.3MB

MD5
09c7f4901112e39b0863288b261a626b

SHA1
f9c4b5adc43a972d851039df6ca97bdd1a5ff29f

SHA256
e4f89ee858218ad17e47c1670c41f8b0e73753a7d3d38677eb6afa95473b7b42

SHA512
ccb2ace9e4d9adb2406f37326e14e8e5d0638202898cbeff272c97d10572e925f0c75ca7bf0f2057264bb2e03ff60f7bfa209912c836479e413f5a9247e7fb25

Download Submit
C:\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\wdfvfghjikpotgvcdws.exe
Filesize
10.3MB

MD5
09c7f4901112e39b0863288b261a626b

SHA1
f9c4b5adc43a972d851039df6ca97bdd1a5ff29f

SHA256
e4f89ee858218ad17e47c1670c41f8b0e73753a7d3d38677eb6afa95473b7b42

SHA512
ccb2ace9e4d9adb2406f37326e14e8e5d0638202898cbeff272c97d10572e925f0c75ca7bf0f2057264bb2e03ff60f7bfa209912c836479e413f5a9247e7fb25

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
730.3MB

MD5
5480f14d9bd775e4f68514eeac31a74b

SHA1
dab504a89ffeb43b901ba3e874ba8d4489d4efac

SHA256
f61c8f07a08c83c9ca1d42a7be9e9bd8475db0fb916537bbf63b706b87969472

SHA512
c1e189a61a71380c60f639a2c31eb3cebcfbf256392e7aeb6bf34e0bcdaa459b35d138b1bd35a1b85c16bc90d782778c251db9b36540c2c34bdc1bcdb3c1fa34

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
658.0MB

MD5
d65bd6cfb684c2a9cb1c441a37405ea2

SHA1
62c9124650e372089fb22f06d08075081db2695b

SHA256
4e362071789cbfe649cbd15dbe932c6e2f04e0a9d3dd53f76c778c94dfb36363

SHA512
f351c7569b56b3c916ca1bbbd12b25965ddf096432975baba8e97e9740543de3668539f3c2eb7a1b812e6202c026d1b921af1137e8b6d654eca82d292d01955b

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
699.9MB

MD5
cab33731699239ac2efb6c44fb2fdd3d

SHA1
6186d7026412d9896225a8bd0cbb49396aa3fced

SHA256
78415ecfa96e9234cdf11a556e49450a8fa8bae52472c16d4391e48799dc74fa

SHA512
4d1fc62c5a08a2138ccbc5e9ff2a9465aa199958dae706b2f725dbf8ac683382f6401b679bfdfc8ec462ad7b355394200aad3d4da81d76f40b6e56ef00655f84

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
730.3MB

MD5
5480f14d9bd775e4f68514eeac31a74b

SHA1
dab504a89ffeb43b901ba3e874ba8d4489d4efac

SHA256
f61c8f07a08c83c9ca1d42a7be9e9bd8475db0fb916537bbf63b706b87969472

SHA512
c1e189a61a71380c60f639a2c31eb3cebcfbf256392e7aeb6bf34e0bcdaa459b35d138b1bd35a1b85c16bc90d782778c251db9b36540c2c34bdc1bcdb3c1fa34

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
730.3MB

MD5
5480f14d9bd775e4f68514eeac31a74b

SHA1
dab504a89ffeb43b901ba3e874ba8d4489d4efac

SHA256
f61c8f07a08c83c9ca1d42a7be9e9bd8475db0fb916537bbf63b706b87969472

SHA512
c1e189a61a71380c60f639a2c31eb3cebcfbf256392e7aeb6bf34e0bcdaa459b35d138b1bd35a1b85c16bc90d782778c251db9b36540c2c34bdc1bcdb3c1fa34

Download Submit
\Users\Admin\Desktop\LatestFullSetupV6-Pass-123\SoftwareFile\setup.exe
Filesize
730.3MB

MD5
5480f14d9bd775e4f68514eeac31a74b

SHA1
dab504a89ffeb43b901ba3e874ba8d4489d4efac

SHA256
f61c8f07a08c83c9ca1d42a7be9e9bd8475db0fb916537bbf63b706b87969472

SHA512
c1e189a61a71380c60f639a2c31eb3cebcfbf256392e7aeb6bf34e0bcdaa459b35d138b1bd35a1b85c16bc90d782778c251db9b36540c2c34bdc1bcdb3c1fa34

Download Submit
memory/1432-137-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1432-131-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1432-138-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1432-134-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1432-126-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1432-128-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1432-129-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1432-119-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1432-132-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1432-123-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1432-125-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1432-135-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1432-139-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1432-122-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1432-120-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1508-94-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1508-114-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1508-113-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1508-109-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1508-110-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1508-112-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1508-103-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1508-104-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1508-106-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1508-107-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1508-100-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1508-99-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1508-101-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1508-95-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1508-96-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1508-97-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1508-98-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1508-93-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download