raccoon | e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde

Analysis

max time kernel
148s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe
Size

10.4MB
MD5

ff63e8f5b4f30a045c8b69219da4305d
SHA1

38d1dbda1992ca36752b3a7c5633f57c111dfbfe
SHA256

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde
SHA512

c045d6e2bccc15b41bf3b0c90b7aa66265d2ce4c3870351ce87de265c1fb5a0370e3b85dbae230c7020573c3ce8330cb8c7642d0b897fd09f546b4308e5e32fe
SSDEEP

196608:dNR0VMXHsF0wuqcqj4P8QYiqEvy1ru/ADM3Je4SKtl0cpRumKphRmdt5o9X:ycDwhcRPV/qLYoDUPDnumKph+o9X

Score

10^/10

raccoon b0f267902bbcc11cd154886fb8ee5da8 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b0f267902bbcc11cd154886fb8ee5da8

http://94.142.138.74:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2892-1118-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Executes dropped EXE 3 IoCs

Processes:

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmpRegOrganizerPortable.exeRegOrganizerPortable.exe

pid process

2064 e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
2192 RegOrganizerPortable.exe
2892 RegOrganizerPortable.exe

Loads dropped DLL 4 IoCs

Processes:

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exee0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmpRegOrganizerPortable.exe

pid	process
2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe
2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
2192	RegOrganizerPortable.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RegOrganizerPortable.exe

description pid process target process

PID 2192 set thread context of 2892 2192 RegOrganizerPortable.exe RegOrganizerPortable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2192 set thread context of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmpRegOrganizerPortable.exe

pid	process
2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
2192	RegOrganizerPortable.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegOrganizerPortable.exe

description pid process

Token: SeDebugPrivilege 2192 RegOrganizerPortable.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp

pid process

2064 e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp

description	pid	process
Token: SeDebugPrivilege	2192	RegOrganizerPortable.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exee0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmpRegOrganizerPortable.exe

description	pid	process	target process
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2172 wrote to memory of 2064	2172	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
PID 2064 wrote to memory of 2192	2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp	RegOrganizerPortable.exe
PID 2064 wrote to memory of 2192	2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp	RegOrganizerPortable.exe
PID 2064 wrote to memory of 2192	2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp	RegOrganizerPortable.exe
PID 2064 wrote to memory of 2192	2064	e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe
PID 2192 wrote to memory of 2892	2192	RegOrganizerPortable.exe	RegOrganizerPortable.exe

C:\Users\Admin\AppData\Local\Temp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe
"C:\Users\Admin\AppData\Local\Temp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\is-TN1FK.tmp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TN1FK.tmp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp" /SL5="$90154,10064615,832512,C:\Users\Admin\AppData\Local\Temp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe
    "C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe
      "C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe"
      4⤵
      Executes dropped EXE
      PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TN1FK.tmp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp

Filesize
3.1MB

MD5
0d876439e581499ab21e3d08a80a3e72

SHA1
8510140e47704d7faebf369f2aa0284b7ed00f3b

SHA256
f862595927ac5be4796d64dfd5d6b7ac682d3923c53d78b7856c13b145228ccb

SHA512
824b35943d15b82044ffe50b60400ec8fa59f72ed9fd793e15a4ac6c2b927fed23289330720237587cc413445770456ee555da2558040440c44a0e475db5af3c

Download Submit
\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\Reg Organizer Portable\glodlsunblockninja-dngcq\RegOrganizerPortable.exe

Filesize
7.2MB

MD5
23c28c4c8ee60fa2042aa374739d712a

SHA1
17363e779d8956d38ec84b0281823c225433d729

SHA256
36dbddb3ec05a1102224f6185edefd2b67ad81fefe4278372e4c5414c6edc09a

SHA512
76829322577a15454e1e137916803fbba4dd4fe7e259a4acfb6c756885f7bbbe2a53613063c0013e6af4dc2270ce9a50ac1d7238eb06df045d91a0a9b63c60e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-53M6O.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-TN1FK.tmp\e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde.tmp

Filesize
3.1MB

MD5
0d876439e581499ab21e3d08a80a3e72

SHA1
8510140e47704d7faebf369f2aa0284b7ed00f3b

SHA256
f862595927ac5be4796d64dfd5d6b7ac682d3923c53d78b7856c13b145228ccb

SHA512
824b35943d15b82044ffe50b60400ec8fa59f72ed9fd793e15a4ac6c2b927fed23289330720237587cc413445770456ee555da2558040440c44a0e475db5af3c

Download Submit
memory/2064-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2064-169-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2172-171-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2172-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2192-198-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-213-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-178-0x0000000005330000-0x00000000053D6000-memory.dmp

Filesize
664KB

Download
memory/2192-179-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-180-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-182-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-184-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-186-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-188-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-190-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-192-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-194-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-196-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-176-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2192-200-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2192-201-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-203-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-205-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-207-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-209-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-211-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-177-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2192-215-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-217-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-219-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-221-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-223-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-225-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-227-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-229-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-231-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-233-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-235-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-237-0x0000000005330000-0x00000000053D1000-memory.dmp

Filesize
644KB

Download
memory/2192-1102-0x00000000050B0000-0x00000000050E2000-memory.dmp

Filesize
200KB

Download
memory/2192-1103-0x00000000054A0000-0x00000000054EC000-memory.dmp

Filesize
304KB

Download
memory/2192-175-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2192-174-0x00000000050E0000-0x0000000005232000-memory.dmp

Filesize
1.3MB

Download
memory/2192-1106-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2192-172-0x0000000001F40000-0x0000000002096000-memory.dmp

Filesize
1.3MB

Download
memory/2892-1118-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download