raccoon | b97effcb10ad6955bbe17337fa179e47446bbed0085f8b9fe47be1e02c0596b6

Analysis

max time kernel
885s
max time network
889s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
22/03/2023, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Use_76009_As_Passw0rdd-1.rar
Size

17.0MB
MD5

80d4dc1b8c0bf4b668015b45dbff7345
SHA1

fb001303296f45c3a0c79c279319914c0701ab50
SHA256

b97effcb10ad6955bbe17337fa179e47446bbed0085f8b9fe47be1e02c0596b6
SHA512

53a321fb7e71cded0294125d43c15ed7b17b73df6028b603ccb502b8d9de23e67ec3c9395cc9835b512c5a6aa044d5b18c8b9fff016c6be1d9e19d4b35144873
SSDEEP

393216:f9qkNZ8Twag5yWO3yk+4yVWdOuijtTjgV/HGHCbaDpgoluAgl:f93aTwaAyWs3XigOuigGHCeWolu/

Score

10^/10

raccoon 01ce0bf18c5eb0152a13b2ee5d4d8adc stealer

Malware Config

Extracted

Family

raccoon

Botnet

01ce0bf18c5eb0152a13b2ee5d4d8adc

http://37.220.87.69

http://83.217.11.6

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Executes dropped EXE 1 IoCs

pid	Process
760	su-Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
760	su-Setup.exe
760	su-Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
760	su-Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1352	7zG.exe
Token: 35	1352	7zG.exe
Token: SeSecurityPrivilege	1352	7zG.exe
Token: SeSecurityPrivilege	1352	7zG.exe
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1352	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1236	1552	cmd.exe	28
PID 1552 wrote to memory of 1236	1552	cmd.exe	28
PID 1552 wrote to memory of 1236	1552	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Use_76009_As_Passw0rdd-1.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Use_76009_As_Passw0rdd-1.rar
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1236

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1972

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_76009_As_Passw0rdd-1\" -spe -an -ai#7zMap6510:106:7zEvent21168
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\Desktop\Use_76009_As_Passw0rdd-1\AppSetup\su-Setup.exe
"C:\Users\Admin\Desktop\Use_76009_As_Passw0rdd-1\AppSetup\su-Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Use_76009_As_Passw0rdd-1\AppSetup\su-Setup.exe

Filesize
1269.7MB

MD5
db0bc10bf8e961cfb5a8f1d13f1510ee

SHA1
f3989726c53c998bb14e524221e7ac672bf7a00e

SHA256
b106ff16d583acc99f4392ff757b7b8c1c4ef8d67b82deb21beb07a4d671ccee

SHA512
f23d270e3a7cc6c55247dbb0dd505c988488ad307043045c237ef9f58996fd0a0f0b241e453ad1b3cc8275e862785a7a4473eb9ff3c8e95de24554fa33771cf9

Download Submit
C:\Users\Admin\Desktop\Use_76009_As_Passw0rdd-1\AppSetup\su-Setup.exe

Filesize
1269.7MB

MD5
db0bc10bf8e961cfb5a8f1d13f1510ee

SHA1
f3989726c53c998bb14e524221e7ac672bf7a00e

SHA256
b106ff16d583acc99f4392ff757b7b8c1c4ef8d67b82deb21beb07a4d671ccee

SHA512
f23d270e3a7cc6c55247dbb0dd505c988488ad307043045c237ef9f58996fd0a0f0b241e453ad1b3cc8275e862785a7a4473eb9ff3c8e95de24554fa33771cf9

Download Submit
memory/760-136-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/760-135-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/760-137-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/760-138-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/760-139-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/760-140-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/760-141-0x0000000000400000-0x0000000001CBF000-memory.dmp

Filesize
24.7MB

Download