raccoon | 5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f

Analysis

max time kernel
1232s
max time network
1236s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
10-05-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open_Setup_Use_2023_As_PassWord.rar
Size

17.7MB
MD5

ec63229d00684415d591cef854167dd2
SHA1

73afa5c05b2cb0c3a9d0ca279e610f24c10968b5
SHA256

5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f
SHA512

9b3541f4d9eb6d7a54a37371492e559cbe1281f79d042829a60f2a96148762361ea33e6030574433153025c964956cface47bdcc6f4130e53973081d33bf507b
SSDEEP

393216:uaMZMSMm7fFnlDU6iqvz0DVjzeqDJdQIWOgSn5xMuortdTKX7Ev7QPXYVqbJ:uaClf/w6h709RDJxL5GsI7QgAl

Score

10^/10

raccoon 8ed6e26daba8160b1050248b4a36291b stealer

Malware Config

Extracted

Family

raccoon

Botnet

8ed6e26daba8160b1050248b4a36291b

http://37.220.87.69

http://83.217.11.13

http://94.142.138.126/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

+Setup.exe

pid process

364 +Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

+Setup.exe

pid process

364 +Setup.exe
364 +Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
364	+Setup.exe

pid	process
364	+Setup.exe
364	+Setup.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

+Setup.exe

pid process

364 +Setup.exe

pid	process
364	+Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	1236	7zG.exe
Token: 35	1236	7zG.exe
Token: SeSecurityPrivilege	1236	7zG.exe
Token: SeSecurityPrivilege	1236	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1236 7zG.exe

pid	process
1236	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 1100	1368	cmd.exe	rundll32.exe
PID 1368 wrote to memory of 1100	1368	cmd.exe	rundll32.exe
PID 1368 wrote to memory of 1100	1368	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar
2⤵
- Modifies registry class
PID:1100

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\" -spe -an -ai#7zMap2291:120:7zEvent9206
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
memory/364-143-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/364-145-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/364-144-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/364-147-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/364-146-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/364-148-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/364-149-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download