raccoon | 5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f

Analysis

max time kernel
1236s
max time network
1239s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10-05-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open_Setup_Use_2023_As_PassWord.rar
Size

17.7MB
MD5

ec63229d00684415d591cef854167dd2
SHA1

73afa5c05b2cb0c3a9d0ca279e610f24c10968b5
SHA256

5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f
SHA512

9b3541f4d9eb6d7a54a37371492e559cbe1281f79d042829a60f2a96148762361ea33e6030574433153025c964956cface47bdcc6f4130e53973081d33bf507b
SSDEEP

393216:uaMZMSMm7fFnlDU6iqvz0DVjzeqDJdQIWOgSn5xMuortdTKX7Ev7QPXYVqbJ:uaClf/w6h709RDJxL5GsI7QgAl

Score

10^/10

raccoon 8ed6e26daba8160b1050248b4a36291b stealer

Malware Config

Extracted

Family

raccoon

Botnet

8ed6e26daba8160b1050248b4a36291b

http://37.220.87.69

http://83.217.11.13

http://94.142.138.126/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
4904 +Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4904	+Setup.exe

pid	process
4904	+Setup.exe
4904	+Setup.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
4904 +Setup.exe

pid	process
4904	+Setup.exe
4904	+Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	2260	7zG.exe
Token: 35	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2260 7zG.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4576 OpenWith.exe

pid	process
2260	7zG.exe

pid	process
4576	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar
1⤵
- Modifies registry class
PID:1612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2840

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\" -spe -an -ai#7zMap9420:120:7zEvent22468
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
memory/4904-197-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/4904-198-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4904-199-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download