raccoon | ec795dcd6193bd3deb2a005c4b0a6f62a459c459424fe5418971d79660cb9db5

General

Target

FileNew_Setup_Full_Version.rar
Size

16.1MB
MD5

5511ee069fcf49e829ad3178b7eeefe8
SHA1

3cd85861cbc0e19fc0fdc3da830db9b07cbbeff4
SHA256

ec795dcd6193bd3deb2a005c4b0a6f62a459c459424fe5418971d79660cb9db5
SHA512

4a92530f59be15779723c4ef1b2ca177799bd31d31245d4232ff5f5a007c69e2971046b13271c59adf9037a0dc76a5cd12143c93db36c99173b5f3a9333c89a8
SSDEEP

393216:BzmGzTw438izXWfp36leXHeNphJfSvzA8GWmSXPrkXBmfc:BHfwKap36EurhJfSrHmuNc

Score

10^/10

raccoon 13718a923845c0cdab8ce45c585b8d63 stealer

Malware Config

Extracted

Family

raccoon

Botnet

13718a923845c0cdab8ce45c585b8d63

C2

http://45.15.156.198/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

1Setup.exe1Setup.exe

pid process

1976 1Setup.exe
1988 1Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

1Setup.exe1Setup.exe

pid process

1976 1Setup.exe
1976 1Setup.exe
1988 1Setup.exe
1988 1Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1976	1Setup.exe
1988	1Setup.exe

pid	process
1976	1Setup.exe
1976	1Setup.exe
1988	1Setup.exe
1988	1Setup.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1Setup.exe1Setup.exe

pid process

1976 1Setup.exe
1988 1Setup.exe

pid	process
1976	1Setup.exe
1988	1Setup.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zG.exe7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	1472	7zG.exe
Token: 35	1472	7zG.exe
Token: SeSecurityPrivilege	1472	7zG.exe
Token: SeSecurityPrivilege	1472	7zG.exe
Token: SeRestorePrivilege	668	7zG.exe
Token: 35	668	7zG.exe
Token: SeSecurityPrivilege	668	7zG.exe
Token: SeSecurityPrivilege	668	7zG.exe
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE
Token: 33	1932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1932	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

1472 7zG.exe
668 7zG.exe

pid	process
1472	7zG.exe
668	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1940 wrote to memory of 984	1940	cmd.exe	rundll32.exe
PID 1940 wrote to memory of 984	1940	cmd.exe	rundll32.exe
PID 1940 wrote to memory of 984	1940	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FileNew_Setup_Full_Version.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FileNew_Setup_Full_Version.rar
2⤵
- Modifies registry class
PID:984

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\" -spe -an -ai#7zMap11942:110:7zEvent22648
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\" -spe -an -ai#7zMap23919:168:7zEvent13197
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x588
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe
"C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe
"C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey.rar
Filesize
15.7MB

MD5
4c378d457389e8dfcf080dedde7fe1ca

SHA1
76a178ca0e6f3c0538dd9e80a1b65952f1b782c2

SHA256
ee6d4fec9073fcc1c6d52b401ee821197fb9f43aa29051bad9cd15e10566c24d

SHA512
c332d288046a82de296b110cfe8803832ae4f15d1b1c5f73338f1759ce34276828b46f231f71b7ebf54a82fb30047caaa9d05a705a493f1b14616e4f7a32dd10

Download Submit
C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe
Filesize
736.1MB

MD5
a5c6128d80e6ad7830b15654633eea6e

SHA1
e6a5d6d3df963ed8b3cdedc25583a501afa6e00b

SHA256
469730a2e3a006c9b2dfbeee0fa32caf1714331cbd033dea065a02231265bd20

SHA512
8404a141d295d3ff5f8cba50e8ba8019b4dfd279cf5662d0b5be1dec488034cd2bfcd95805f863468cef50fb4f19cbcf27e7d62064f547569387dd5056a12d3a

Download Submit
C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe
Filesize
736.1MB

MD5
a5c6128d80e6ad7830b15654633eea6e

SHA1
e6a5d6d3df963ed8b3cdedc25583a501afa6e00b

SHA256
469730a2e3a006c9b2dfbeee0fa32caf1714331cbd033dea065a02231265bd20

SHA512
8404a141d295d3ff5f8cba50e8ba8019b4dfd279cf5662d0b5be1dec488034cd2bfcd95805f863468cef50fb4f19cbcf27e7d62064f547569387dd5056a12d3a

Download Submit
C:\Users\Admin\Desktop\FileNew_Setup_Full_Version\ItsNew_Setup_2023_As_PassKey\1Setup.exe
Filesize
736.1MB

MD5
a5c6128d80e6ad7830b15654633eea6e

SHA1
e6a5d6d3df963ed8b3cdedc25583a501afa6e00b

SHA256
469730a2e3a006c9b2dfbeee0fa32caf1714331cbd033dea065a02231265bd20

SHA512
8404a141d295d3ff5f8cba50e8ba8019b4dfd279cf5662d0b5be1dec488034cd2bfcd95805f863468cef50fb4f19cbcf27e7d62064f547569387dd5056a12d3a

Download Submit
memory/1976-110-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1976-106-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1976-109-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1976-108-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1976-107-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1976-111-0x0000000000400000-0x0000000002187000-memory.dmp

Filesize
29.5MB

Download
memory/1976-105-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1988-115-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1988-116-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1988-118-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1988-119-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1988-120-0x0000000000400000-0x0000000002187000-memory.dmp

Filesize
29.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads