raccoon | 071e9de15078bb820cb507eb135aed7ea4c4c0d42fe14ae205d20310e0ea89bb

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2f979b364f6ac14455079cfb11d9378.exe
Size

32.2MB
MD5

a2f979b364f6ac14455079cfb11d9378
SHA1

92f0e94e67fe3dc8de35f8cd4bf30143047df00f
SHA256

071e9de15078bb820cb507eb135aed7ea4c4c0d42fe14ae205d20310e0ea89bb
SHA512

f2cb77f04ccd36863e4473c38332f4cb426d0876003780f47f803540a07bbf27ddccd1f93a07c16eaa56b1807674762be04aa049daef286ca7a8ee1ccf4fda54
SSDEEP

393216:sV0pJXZqIOOHDvUmv4XOS5s41i7vP06D4sCLzhtxw/4JIvWZ:sV0qIbj8mgXL1i7lDqzhtG/Hg

Score

10^/10

raccoon 74b8b770a65f8e339e8f029b78098a50 stealer

Malware Config

Extracted

Family

raccoon

Botnet

74b8b770a65f8e339e8f029b78098a50

http://89.23.107.239:80/

http://49.13.18.115:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1312-153-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1312-155-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1312-159-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1312-173-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

a2f979b364f6ac14455079cfb11d9378.exe

description pid process target process

PID 2000 set thread context of 1312 2000 a2f979b364f6ac14455079cfb11d9378.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2000 set thread context of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

a2f979b364f6ac14455079cfb11d9378.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2000	a2f979b364f6ac14455079cfb11d9378.exe
2192	powershell.exe
2864	powershell.exe
2752	powershell.exe
1256	powershell.exe
3020	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a2f979b364f6ac14455079cfb11d9378.exe

description	pid	process	target process
PID 2000 wrote to memory of 2192	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2192	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2192	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2864	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2864	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2864	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 1540	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1540	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1540	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1540	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 2752	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2752	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 2752	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1256	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 1256	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 1256	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 1312	2000	a2f979b364f6ac14455079cfb11d9378.exe	cvtres.exe
PID 2000 wrote to memory of 3020	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 3020	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe
PID 2000 wrote to memory of 3020	2000	a2f979b364f6ac14455079cfb11d9378.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a2f979b364f6ac14455079cfb11d9378.exe
"C:\Users\Admin\AppData\Local\Temp\a2f979b364f6ac14455079cfb11d9378.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAIgAgAC0ARgBvAHIAYwBlAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwAwADAA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00cd16c6d49458cb03afeac2f06ca675

SHA1
7cd18e2f4e3ed81b617f48795e54d78e75b1639d

SHA256
eca6068134273c289ea632024a9b1e30ee0696358f69e67d6d355338e7fa98d9

SHA512
b328791b6abe31b647ddd7950042667b76569b64cced941385fd2a8f22fa8de5c71e7455035362509b86078348f70727afcddf2a8167765f2a4bfbf3e5ac4b10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3d5ca308e8866306657d2b66e47224c

SHA1
2cfbcd61d003ecfc50469fec7b1bd81b5867641c

SHA256
a3c0c9c82f51e612677351cc7fbd036fcd6dff3ffd24e0dd9325cb0b17ef4388

SHA512
61347cb3440bea314e3af3c3b8ccf4b2fe1ec23bcec466ba209202120e19746ef48cf2ddcaf2a0abe279b59584f83a431728817377aca8aef038b49df2c38134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3d5ca308e8866306657d2b66e47224c

SHA1
2cfbcd61d003ecfc50469fec7b1bd81b5867641c

SHA256
a3c0c9c82f51e612677351cc7fbd036fcd6dff3ffd24e0dd9325cb0b17ef4388

SHA512
61347cb3440bea314e3af3c3b8ccf4b2fe1ec23bcec466ba209202120e19746ef48cf2ddcaf2a0abe279b59584f83a431728817377aca8aef038b49df2c38134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3d5ca308e8866306657d2b66e47224c

SHA1
2cfbcd61d003ecfc50469fec7b1bd81b5867641c

SHA256
a3c0c9c82f51e612677351cc7fbd036fcd6dff3ffd24e0dd9325cb0b17ef4388

SHA512
61347cb3440bea314e3af3c3b8ccf4b2fe1ec23bcec466ba209202120e19746ef48cf2ddcaf2a0abe279b59584f83a431728817377aca8aef038b49df2c38134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W0MWTWB7J77UUR545EJV.temp

Filesize
7KB

MD5
b3d5ca308e8866306657d2b66e47224c

SHA1
2cfbcd61d003ecfc50469fec7b1bd81b5867641c

SHA256
a3c0c9c82f51e612677351cc7fbd036fcd6dff3ffd24e0dd9325cb0b17ef4388

SHA512
61347cb3440bea314e3af3c3b8ccf4b2fe1ec23bcec466ba209202120e19746ef48cf2ddcaf2a0abe279b59584f83a431728817377aca8aef038b49df2c38134

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1256-141-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1256-143-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1256-140-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/1256-142-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1256-146-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/1256-145-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1256-144-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/1312-151-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-147-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-153-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-149-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-156-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1312-159-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1312-173-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2000-89-0x000007FEFD880000-0x000007FEFD882000-memory.dmp

Filesize
8KB

Download
memory/2000-60-0x00000000779F0000-0x00000000779F2000-memory.dmp

Filesize
8KB

Download
memory/2000-56-0x00000000779F0000-0x00000000779F2000-memory.dmp

Filesize
8KB

Download
memory/2000-58-0x000000013FA30000-0x0000000141A63000-memory.dmp

Filesize
32.2MB

Download
memory/2000-97-0x000000013FA30000-0x0000000141A63000-memory.dmp

Filesize
32.2MB

Download
memory/2000-61-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2000-62-0x0000000077A00000-0x0000000077A02000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x0000000077A00000-0x0000000077A02000-memory.dmp

Filesize
8KB

Download
memory/2000-66-0x0000000077A00000-0x0000000077A02000-memory.dmp

Filesize
8KB

Download
memory/2000-67-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/2000-106-0x0000000077840000-0x00000000779E9000-memory.dmp

Filesize
1.7MB

Download
memory/2000-71-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/2000-92-0x000000013FA30000-0x0000000141A63000-memory.dmp

Filesize
32.2MB

Download
memory/2000-54-0x00000000779F0000-0x00000000779F2000-memory.dmp

Filesize
8KB

Download
memory/2000-69-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/2000-72-0x0000000077A20000-0x0000000077A22000-memory.dmp

Filesize
8KB

Download
memory/2000-76-0x0000000077A20000-0x0000000077A22000-memory.dmp

Filesize
8KB

Download
memory/2000-74-0x0000000077A20000-0x0000000077A22000-memory.dmp

Filesize
8KB

Download
memory/2000-77-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download
memory/2000-79-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download
memory/2000-81-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download
memory/2000-86-0x000007FEFD870000-0x000007FEFD872000-memory.dmp

Filesize
8KB

Download
memory/2000-84-0x000007FEFD870000-0x000007FEFD872000-memory.dmp

Filesize
8KB

Download
memory/2000-91-0x000007FEFD880000-0x000007FEFD882000-memory.dmp

Filesize
8KB

Download
memory/2192-102-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2192-100-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-104-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2192-105-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2192-99-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2192-103-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-107-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-101-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2192-98-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2752-127-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-130-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2752-133-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-128-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2752-132-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2752-131-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2752-129-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-119-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-121-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-115-0x000007FEF5060000-0x000007FEF59FD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-116-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2864-117-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2864-114-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2864-118-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2864-120-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2864-113-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/3020-172-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-167-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-168-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-169-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-170-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-171-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-166-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3020-165-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/3020-174-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-175-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-176-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-177-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3020-178-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download