raccoon | 0e6bf2a49cbb3e603a03127d6d6422ac7df6b99afc1ffb472ee66184ca4f0469

General

Target

Use_71110_As_Passw0rd_.rar
Size

17.1MB
MD5

9b08c2fae3ef353f85969bb4e9bb63ff
SHA1

00d90111f99bbfb623268ca8e3b74f32f67c1a0b
SHA256

0e6bf2a49cbb3e603a03127d6d6422ac7df6b99afc1ffb472ee66184ca4f0469
SHA512

027ba1b7278a4fad0d1efa763b79624e6b8b8f4063db376726441a8da80d9052629ad5fc26cbf846f49e96599d902fccc51ebca0a2be9d682103752bf4f8c068
SSDEEP

393216:YWKz3TXg5ZqAgyWcJ1BhAEa84sm+zIWEPIUTqCDx1aSX8CET:YW6jw5UMW81ByLnx1aSXvS

Score

10^/10

raccoon 01ce0bf18c5eb0152a13b2ee5d4d8adc stealer

Malware Config

Extracted

Family

raccoon

Botnet

01ce0bf18c5eb0152a13b2ee5d4d8adc

C2

http://37.220.87.69

http://83.217.11.6

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

nnSetup.exe

pid process

4960 nnSetup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

nnSetup.exe

pid process

4960 nnSetup.exe
4960 nnSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4960	nnSetup.exe

pid	process
4960	nnSetup.exe
4960	nnSetup.exe

Modifies registry class 21 IoCs

Processes:

cmd.exeSearchApp.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

nnSetup.exe

pid process

4960 nnSetup.exe
4960 nnSetup.exe

pid	process
4960	nnSetup.exe
4960	nnSetup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	3912	7zG.exe
Token: 35	3912	7zG.exe
Token: SeSecurityPrivilege	3912	7zG.exe
Token: SeSecurityPrivilege	3912	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

3912 7zG.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeSearchApp.exennSetup.exe

pid process

1516 OpenWith.exe
948 SearchApp.exe
4960 nnSetup.exe

pid	process
3912	7zG.exe

pid	process
1516	OpenWith.exe
948	SearchApp.exe
4960	nnSetup.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Use_71110_As_Passw0rd_.rar
1⤵
- Modifies registry class
PID:2216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_71110_As_Passw0rd_\" -spe -an -ai#7zMap27840:102:7zEvent21290
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3912

C:\Users\Admin\Desktop\Use_71110_As_Passw0rd_\nnSetup.exe
"C:\Users\Admin\Desktop\Use_71110_As_Passw0rd_\nnSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133247976954361010.txt
Filesize
75KB

MD5
f7efda58dee5284ab276ad0b08800dee

SHA1
9b63e0761ffe967bcac4ab34ddf3efcf643739f8

SHA256
9bddd2f52b4ebb13702c41ca08c3f31299331a16d8a219761fa44ea31020c66c

SHA512
bfae94346e311620604d966a9df90bb92286950afa53f48d1bdbc858d8306571b3373a34aa63a12f4ce375793e40f3def618f2d0fd621f7957cf48050daf0d4c

Download Submit
C:\Users\Admin\Desktop\Use_71110_As_Passw0rd_\nnSetup.exe
Filesize
1269.7MB

MD5
988ab1394bf1f80e49366bb41130e0d2

SHA1
fcebe3d72248f5db56100f6d5a05f146dac21350

SHA256
848b6f47a05ee1b6d0d143ce20456c119ae7d718df748bc4660d2df1d78b89fa

SHA512
b7817ec38eeda18346dd2c7a6cb4d39ff7f2161acc126707b5eaf510996d530e2ceadc2abe50c431b157346b0c6e3d4a71448325939b76eb9c8429c951577c2f

Download Submit
C:\Users\Admin\Desktop\Use_71110_As_Passw0rd_\nnSetup.exe
Filesize
1269.7MB

MD5
988ab1394bf1f80e49366bb41130e0d2

SHA1
fcebe3d72248f5db56100f6d5a05f146dac21350

SHA256
848b6f47a05ee1b6d0d143ce20456c119ae7d718df748bc4660d2df1d78b89fa

SHA512
b7817ec38eeda18346dd2c7a6cb4d39ff7f2161acc126707b5eaf510996d530e2ceadc2abe50c431b157346b0c6e3d4a71448325939b76eb9c8429c951577c2f

Download Submit
memory/948-139-0x000002A4419C0000-0x000002A4419E0000-memory.dmp

Filesize
128KB

Download
memory/948-143-0x000002A441980000-0x000002A4419A0000-memory.dmp

Filesize
128KB

Download
memory/948-146-0x000002A443020000-0x000002A443040000-memory.dmp

Filesize
128KB

Download
memory/4960-310-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/4960-311-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/4960-312-0x0000000000400000-0x0000000001CC2000-memory.dmp

Filesize
24.8MB

Download

Analysis

Sharing