raccoon | c5402ac75a86dc37508a502662ba0d6af32b81d570c86067da9ec695718c8ef9

General

Target

SoftwareSetup.rar
Size

31.4MB
MD5

047099eac98bee7e4d6197644bebe398
SHA1

104638640b363dc997638e0106ff83b86b9f87ee
SHA256

c5402ac75a86dc37508a502662ba0d6af32b81d570c86067da9ec695718c8ef9
SHA512

55c432feaa7e14584f5a007225831df181a1688068b502d6028e90f58841256ad70fb0fc3cc863f75dadcfd139dee62406bda34ba220602324d4483e00eb9184
SSDEEP

786432:b4cD8XDwz1tAUfsLllihvBCCKAduhYem2XM/cty9XAkj3:buwbsLihvBCtMbr2X+ctWQkj

Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 stealer

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

C2

http://45.15.156.144/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

4492 setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exe

pid process

4492 setup.exe
4492 setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4492	setup.exe

pid	process
4492	setup.exe
4492	setup.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.execmd.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000054564caa1000372d5a6970003c0009000400efbe54564caa54564caa2e000000372702000000080000000000000000000000000000004e535e0037002d005a0069007000000014000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\ఉǘ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\rar_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\rar_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\ఉǘ\ = "rar_auto_file"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005456e9ae110050524f4752417e310000740009000400efbe874fdb495456e9ae2e0000003f0000000000010000000000000000004a000000000024690f00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.rar	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.rar\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\rar_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

setup.exe

pid process

4492 setup.exe
4492 setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4888 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 4796 7zFM.exe
Token: 35 4796 7zFM.exe
Token: SeSecurityPrivilege 4796 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

4796 7zFM.exe
4796 7zFM.exe

pid	process
4492	setup.exe
4492	setup.exe

description	pid	process
Token: SeRestorePrivilege	4796	7zFM.exe
Token: 35	4796	7zFM.exe
Token: SeSecurityPrivilege	4796	7zFM.exe

pid	process
4796	7zFM.exe
4796	7zFM.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

OpenWith.exe

pid	process
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

OpenWith.exe

description pid process target process

PID 4888 wrote to memory of 4796 4888 OpenWith.exe 7zFM.exe
PID 4888 wrote to memory of 4796 4888 OpenWith.exe 7zFM.exe

description	pid	process	target process
PID 4888 wrote to memory of 4796	4888	OpenWith.exe	7zFM.exe
PID 4888 wrote to memory of 4796	4888	OpenWith.exe	7zFM.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SoftwareSetup.rar
1⤵
- Modifies registry class
PID:4628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SoftwareSetup.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4796

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
686a5c359652c3e2d054360e4a7bb156

SHA1
c67bdabde2fa1cc6b97a1c69f622efc159eca1ce

SHA256
af5b246c8f3944cc5e3359c38e5da015536b1c0ecd48007d663b7e953ec98b59

SHA512
da1e6ef3df94f765a2a2a6ceff18f3cd4a0d4f1c1bd2cf2f469143507374a909952d2f0a2c7079b6bb6e1cff44223a51bbcd1b5b3e814e78db3003ceffe575f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
5517e3f4927a3b9d46d46cf14b7d9de2

SHA1
867e538a9017d47c6448704b939b9b933e8bbbe3

SHA256
907815e778b17853bc168a5b932ea4f60a33eafba453b3118823bc8a1da1b1f0

SHA512
a53c209e00645395690ebd3d800f2f3b54b771ad87a5e00b7beba042011668f333b6de68b318943409631b5ea088174f97d3eabc968659d70a2597420e527ca9

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
503.2MB

MD5
4fcd1846fc683d196ef09f26ff3e7c33

SHA1
9e37ff43fc99cd4233216dc19f634b430af12a4a

SHA256
8d0fb719b460e5dcabe8c21ecb0c766a95060c6d3dde213468fa4fd48769cb72

SHA512
49781e28088f1fe0311ac6e0cc828c6bff3c88650ed261fbf2dc3065811b45f864fb62c4ef2d6688621899f2ea47e18fc5188a084c13860f243938d43846c90a

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
491.0MB

MD5
4026dae1952ee5ac2cb34d46ace77cd2

SHA1
38a70d26fbcac23a37ec8acb7da8666a10d4456c

SHA256
ca44e3c34ba990a5ba99845c0af57c98832ced826cdf4b51f0659d0df4ff659b

SHA512
efced4c692809d437331c74f0d4bb3b0346e40675843c59d996ffb67ac2da199c0028dd3c33d9e3a09acd48d39985c8d2905dbac6c58ca59eabaf197956fdcbc

Download Submit
memory/4492-149-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4492-150-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/4492-151-0x0000000000400000-0x0000000002174000-memory.dmp

Filesize
29.5MB

Download

Resubmissions

Analysis

Sharing