raccoon | 6e80a4fc6708c4afd1992257a56f2060a4d3ec0d03076c8e4644f86d6bdb37cb

General

Target

FullVersionG5_Setup_2023_As_PassKey.rar
Size

19.5MB
MD5

325269d3b8c7c2057812eded13784d47
SHA1

bc8acc9988dde2f8691ea4de439701d590880cf3
SHA256

6e80a4fc6708c4afd1992257a56f2060a4d3ec0d03076c8e4644f86d6bdb37cb
SHA512

7c49de177716f863ade22672cd46cdc3a733949471ea663d19ab16720bf079f00f93d4b8d0a6c0c8e278e617b4472ca16115f71ce47fcaf08965c1a4babb319e
SSDEEP

393216:uh7aPjot+wiTtIyio6OnwFzi6gQbXULHWqgh4MCvQjw7mhr:OaPsMwkGyi5KFvxtghcQjWmN

Score

10^/10

raccoon 13718a923845c0cdab8ce45c585b8d63 stealer

Malware Config

Extracted

Family

raccoon

Botnet

13718a923845c0cdab8ce45c585b8d63

C2

http://45.15.156.143/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

aaSatup.exeaaSatup.exe

pid process

1872 aaSatup.exe
688 aaSatup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

aaSatup.exeaaSatup.exe

pid process

1872 aaSatup.exe
1872 aaSatup.exe
688 aaSatup.exe
688 aaSatup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aaSatup.exeaaSatup.exe

pid process

1872 aaSatup.exe
688 aaSatup.exe

pid	process
1872	aaSatup.exe
688	aaSatup.exe

pid	process
1872	aaSatup.exe
1872	aaSatup.exe
688	aaSatup.exe
688	aaSatup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe

pid	process
1872	aaSatup.exe
688	aaSatup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	1692	7zG.exe
Token: 35	1692	7zG.exe
Token: SeSecurityPrivilege	1692	7zG.exe
Token: SeSecurityPrivilege	1692	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1692 7zG.exe

pid	process
1692	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 1184	1120	cmd.exe	rundll32.exe
PID 1120 wrote to memory of 1184	1120	cmd.exe	rundll32.exe
PID 1120 wrote to memory of 1184	1120	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FullVersionG5_Setup_2023_As_PassKey.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FullVersionG5_Setup_2023_As_PassKey.rar
2⤵
- Modifies registry class
PID:1184

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\" -spe -an -ai#7zMap28318:128:7zEvent24522
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1692

C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe
"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe
"C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe
Filesize
1953.7MB

MD5
9d7c498278c6f174862aa4ff3ae7fec2

SHA1
02fc01d52e0fffe126b773e084921ace6d687a15

SHA256
776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404

SHA512
d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49

Download Submit
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe
Filesize
1953.7MB

MD5
9d7c498278c6f174862aa4ff3ae7fec2

SHA1
02fc01d52e0fffe126b773e084921ace6d687a15

SHA256
776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404

SHA512
d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49

Download Submit
C:\Users\Admin\Desktop\FullVersionG5_Setup_2023_As_PassKey\aaSatup.exe
Filesize
1953.7MB

MD5
9d7c498278c6f174862aa4ff3ae7fec2

SHA1
02fc01d52e0fffe126b773e084921ace6d687a15

SHA256
776f7c9f04717f8336d14162137346b190a8f026eecfcbcade4bc88fabbff404

SHA512
d55e8f50588a51122abfb96af30fd224a9917376d40a5dfcd42a70f99c26f2ff003735a5a6cb8b10046ee5eb1669cb08882832cfb73f400b4b20ad3d3d6c5a49

Download Submit
memory/688-158-0x0000000000400000-0x0000000002186000-memory.dmp

Filesize
29.5MB

Download
memory/1872-143-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1872-145-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1872-144-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1872-146-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1872-147-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1872-148-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1872-149-0x0000000000400000-0x0000000002186000-memory.dmp

Filesize
29.5MB

Download

Analysis

Sharing