raccoon | 4ef7df344ac90c22306329afce9ca1fc19c48165fd733623bb624dec9f59ca8a

General

Target

Files_Password_1231.rar
Size

17.0MB
MD5

c3b26e6add132ccdafc3c33b24ec7d30
SHA1

89f5f22204bc3c7f8e4c850174e83f5b43ff3b82
SHA256

4ef7df344ac90c22306329afce9ca1fc19c48165fd733623bb624dec9f59ca8a
SHA512

455d18db86719c38234e0b86d894572607fda71f8395b0f32578bfe2f5cd92247395be3b82b17028fdc3ce284bbe3d02b6895299a8103877877927a1c195a665
SSDEEP

393216:WScJ8nwMe9njP2YgI/6U986uM/s4RG55sVvouALvWyVJn:FcoW9j+O6UKY/s4R65LaC

Score

10^/10

raccoon 01ce0bf18c5eb0152a13b2ee5d4d8adc stealer

Malware Config

Extracted

Family

raccoon

Botnet

01ce0bf18c5eb0152a13b2ee5d4d8adc

C2

http://37.220.87.69

http://83.217.11.6

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

cp_Setup.execp_Setup.exe

pid process

1716 cp_Setup.exe
1744 cp_Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

cp_Setup.execp_Setup.exe

pid process

1716 cp_Setup.exe
1716 cp_Setup.exe
1744 cp_Setup.exe
1744 cp_Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cp_Setup.execp_Setup.exe

pid process

1716 cp_Setup.exe
1744 cp_Setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1180 rundll32.exe

pid	process
1716	cp_Setup.exe
1744	cp_Setup.exe

pid	process
1716	cp_Setup.exe
1716	cp_Setup.exe
1744	cp_Setup.exe
1744	cp_Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe

pid	process
1716	cp_Setup.exe
1744	cp_Setup.exe

pid	process
1180	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	1676	7zG.exe
Token: 35	1676	7zG.exe
Token: SeSecurityPrivilege	1676	7zG.exe
Token: SeSecurityPrivilege	1676	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1676 7zG.exe

pid	process
1676	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 268 wrote to memory of 1180	268	cmd.exe	rundll32.exe
PID 268 wrote to memory of 1180	268	cmd.exe	rundll32.exe
PID 268 wrote to memory of 1180	268	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Files_Password_1231.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Files_Password_1231.rar
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1180

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Files_Password_1231\" -spe -an -ai#7zMap23308:96:7zEvent2093
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe
"C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe
"C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe
Filesize
1269.6MB

MD5
6021a2138d3aac1aee27d8a521b26cb2

SHA1
47ae09c32bc0c1cc020e80522f6a94d565f6920d

SHA256
9a4eb2b87174f19b1f23940363e0bb2d4a3e19d8cdb37d4a8de8ab70bc0135fc

SHA512
8bcdc3b72f0c0e1d958e52d227f36c0509e8dbaf76a07f81aba40a1af1a5658c198cc040664ead31e8349d8554ebc6cd4c59ecd130ce97e8766b05c193a5a14a

Download Submit
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe
Filesize
1269.6MB

MD5
6021a2138d3aac1aee27d8a521b26cb2

SHA1
47ae09c32bc0c1cc020e80522f6a94d565f6920d

SHA256
9a4eb2b87174f19b1f23940363e0bb2d4a3e19d8cdb37d4a8de8ab70bc0135fc

SHA512
8bcdc3b72f0c0e1d958e52d227f36c0509e8dbaf76a07f81aba40a1af1a5658c198cc040664ead31e8349d8554ebc6cd4c59ecd130ce97e8766b05c193a5a14a

Download Submit
C:\Users\Admin\Desktop\Files_Password_1231\cp_Setup.exe
Filesize
703.4MB

MD5
8a1fcdbe0bb02b8f0b121b6c201bcb7f

SHA1
8c38cbd10688e2c3cec899fd732aa6326d302b3e

SHA256
74a6bc1a854e88bc843c428032580593bf902495f7fc7bffcac7cae2a528d82e

SHA512
54bbbc56176ad84a4ee0a4448b3a96487a01444c08783bc7a7ed724702229a5bc804fa513ce725bc915ebc93d845958ee978b92d721449403ba9d58074b704db

Download Submit
memory/1716-142-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1716-143-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1716-144-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1716-145-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1716-146-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1716-147-0x0000000000400000-0x0000000001CAA000-memory.dmp

Filesize
24.7MB

Download
memory/1716-141-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1744-151-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1744-152-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1744-154-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1744-155-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1744-156-0x0000000000400000-0x0000000001CAA000-memory.dmp

Filesize
24.7MB

Download

Analysis

Sharing