raccoon | 345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe
Size

1.3MB
MD5

cbf9b27a8f0e0694c727f4365776b745
SHA1

b76eabb6b37b3fe27c422f09b13b460efd7e4c7a
SHA256

345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d
SHA512

05872d46d73006ab7f782eb2b72c769be690db90e556695124544939a09bd87c0a046d48b8c7ebbf81dc05bf69b3a318b394a34e36c368892d03d1a905ab73e2
SSDEEP

24576:Gc9fr4kJAx1q/o/Ugge7p+XgwUXKXeaWptGyvNjl:G+py15bgeF+SlptGyvdl

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3500-29-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/3500-31-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Lone.pif

description pid process target process

PID 420 created 3356 420 Lone.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Lone.pifLone.pif

pid process

420 Lone.pif
3500 Lone.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Lone.pif

description pid process target process

PID 420 set thread context of 3500 420 Lone.pif Lone.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2604 tasklist.exe
3916 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4696 PING.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Lone.pif

pid process

420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
420 Lone.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3916 tasklist.exe
Token: SeDebugPrivilege 2604 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Lone.pif

pid process

420 Lone.pif
420 Lone.pif
420 Lone.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Lone.pif

pid process

420 Lone.pif
420 Lone.pif
420 Lone.pif

description	pid	process	target process
PID 420 created 3356	420	Lone.pif	Explorer.EXE

pid	process
420	Lone.pif
3500	Lone.pif

description	pid	process	target process
PID 420 set thread context of 3500	420	Lone.pif	Lone.pif

pid	process
2604	tasklist.exe
3916	tasklist.exe

pid	process
4696	PING.EXE

pid	process
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif
420	Lone.pif

description	pid	process
Token: SeDebugPrivilege	3916	tasklist.exe
Token: SeDebugPrivilege	2604	tasklist.exe

pid	process
420	Lone.pif
420	Lone.pif
420	Lone.pif

pid	process
420	Lone.pif
420	Lone.pif
420	Lone.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.execmd.execmd.exeLone.pif

description	pid	process	target process
PID 2720 wrote to memory of 764	2720	345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe	cmd.exe
PID 2720 wrote to memory of 764	2720	345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe	cmd.exe
PID 2720 wrote to memory of 764	2720	345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe	cmd.exe
PID 764 wrote to memory of 896	764	cmd.exe	cmd.exe
PID 764 wrote to memory of 896	764	cmd.exe	cmd.exe
PID 764 wrote to memory of 896	764	cmd.exe	cmd.exe
PID 896 wrote to memory of 3916	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 3916	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 3916	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 740	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 740	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 740	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 2604	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 2604	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 2604	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 3512	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 3512	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 3512	896	cmd.exe	findstr.exe
PID 896 wrote to memory of 548	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 548	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 548	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 680	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 680	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 680	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 4392	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 4392	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 4392	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 420	896	cmd.exe	Lone.pif
PID 896 wrote to memory of 420	896	cmd.exe	Lone.pif
PID 896 wrote to memory of 420	896	cmd.exe	Lone.pif
PID 896 wrote to memory of 4696	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 4696	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 4696	896	cmd.exe	PING.EXE
PID 420 wrote to memory of 3500	420	Lone.pif	Lone.pif
PID 420 wrote to memory of 3500	420	Lone.pif	Lone.pif
PID 420 wrote to memory of 3500	420	Lone.pif	Lone.pif
PID 420 wrote to memory of 3500	420	Lone.pif	Lone.pif
PID 420 wrote to memory of 3500	420	Lone.pif	Lone.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe
"C:\Users\Admin\AppData\Local\Temp\345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Lay & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:740

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
5⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 6631
5⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Layer + Twenty + Celebrity + Transcription + Facing + Ultimately 6631\Lone.pif
5⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cal + Ict 6631\X
5⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\46578\6631\Lone.pif
6631\Lone.pif 6631\X
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:4696

C:\Users\Admin\AppData\Local\Temp\46578\6631\Lone.pif
C:\Users\Admin\AppData\Local\Temp\46578\6631\Lone.pif
2⤵
- Executes dropped EXE
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46578\6631\Lone.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\6631\Lone.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\6631\X

Filesize
511KB

MD5
2ebf94c059b356d8f92e2748635b0a69

SHA1
e534b1fffcfee1887ae418c3a683423561a5a3db

SHA256
5db4acc8901e4dd1db65cc58720e00548c742a01e8f70f0b7663044670f11b8f

SHA512
a3d78ae6f1023f18169016d9a81582a8492c6025838ec6dbf7ac270a8894bbf7bd247debf53e57c6b37570877993d49711115a76c2590344e583d1df6a396c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Cal

Filesize
440KB

MD5
0fcae781fd17a5615eebc1133d6d10d8

SHA1
c7147dc0382f34cf7a701e6cfc8ec740db58d1c3

SHA256
01148a35f3033f573130015ec4d43a912f45fd1b650e3f27aa648ecb0e984d47

SHA512
3e1c96abe457445ee456b4d60e10768d57184c23073789c4df73a64645d5ec8b9a1584f9ab2420e3a41dab1b8933ea42da3969265ed5dbb3510673e65652cbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Celebrity

Filesize
221KB

MD5
4b9a1ba9e61b62f7c56445888557220d

SHA1
8d2ef3958684227511ea9bbb2d473772f0004524

SHA256
a7a0d448e55749596194b7968687537813d416f7c7a2ae395e9136829625c109

SHA512
5ab25cf421547f450302ece5e3ec9c42fbc0d77965ae6c3334b3919b753406d823502c1605cd17477330d0febd3f67267d07e6f708d4d1b08d7ce6c5abd1b3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Facing

Filesize
126KB

MD5
8932a445b3a14b6e8c0308b8ba1521f0

SHA1
9aea78cd5ab6be81df9be1a8c7ad13bed0099759

SHA256
2dbd637f2914f388cd38ddfc1dac866d8c26a58b1a8350284df66d8d555f7e91

SHA512
1f1703016445e1c6fa5a35512eb040407ec0566d92e847aab7a674b5813a3527db9e1e9505e6d261f7b1b6df867e954fe77d7fbd47784027584572c35e235ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Ict

Filesize
71KB

MD5
fe046b40042b4efcdaa5250f40288b47

SHA1
8264d6d8d922028928c57454118e6ac64ca2c955

SHA256
8bd834c3578ea62a4ea411c202a98fdaa47af2dc745708959a5910104316ca22

SHA512
9533597db56f90b421ade12a9dbb7c90dc9d3496cc8b21626794ee71f28bda2956192dc9788dd863d24fcf2f9ac5b77adc7b2a20d8848018c3862058bc0d357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Lay

Filesize
13KB

MD5
83d482d2799e2bc9287ebb583b45c99d

SHA1
a8864eecb093e9229a58194dec4452a653337d63

SHA256
01cfed8fea337dce2c2d76a7c8ef8ad1ac0b9d424a58ce8b3984f9ebad8a71a2

SHA512
7b934022159f4be653b4e19590fbc0357256f2db1e4edea86428b04a84617920e75e58e6342122af3ca88efc24f79cfd883512fba1a8244c6289d977cbcb7825

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Layer

Filesize
247KB

MD5
2cfb93e98c265b90e75917162a38289c

SHA1
08062592c168176e5319ea7b3e13512cbb735b43

SHA256
e58bce258dc9c7ff11ccb7f1eb15487a56da6e6f7fa6b8de827cef7838196d4c

SHA512
3a5c9588082e79d67e377b6e4bcf614e673b2463f079887647ace5fed3f2cf083a375881fccb8f280e58964c07f6db20247a5abc2708edbcc9d82d01174e6aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Transcription

Filesize
165KB

MD5
6e579d87b8f41b6ced0be6da22fa57ed

SHA1
16b50b6dd6a28d5dfc78b8427d1a120e859d3a9f

SHA256
760ccbfd6bacb27b98412b96dc12e24fd4e54b3a6369bf6f682af655c4927ed0

SHA512
ec87306bc73e359a4e4183868202a05aab75a6306f5075c1092e46689598d7186d3f1f4fc36cb5f866c87acbc7ad66e0c8fc49018b13da9e9df533ebfa590d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Twenty

Filesize
155KB

MD5
e5b6d122a277a0b3b24fcf176ffe8d61

SHA1
3a2624694f26fac2414ee67c7a80ea357e257455

SHA256
73eb2e52c429eeff406e615a70eed473db80e689167fcfa8394923cb3d782b5c

SHA512
8ed975efd807a1e3552bb8c586c75e7a4f616d402200c52f5c45922f451d713bc30b5d85509145821e6ad3cf1e78ed4e94edd0f8fe5795975ac4e20df3b9aa93

Download Submit
C:\Users\Admin\AppData\Local\Temp\46578\Ultimately

Filesize
10KB

MD5
fc5f6a0d362c72588f7e3fb40888d6ad

SHA1
5cb8eff81ade662e5c463afdbed7858f09d28bb4

SHA256
bc209160b86a98b227d611f3e2270295ebf13b82ec05128286c5239307127cab

SHA512
d2eeed44e5113ef0e52ca3fa1609692922dcba496b5705df754968e2fa6e2ba17942b1f41da29dc10b78214f6680bd7e289d92b0ac9e104944a8091a537de26b

Download Submit
memory/420-26-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2720-24-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2720-0-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3500-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3500-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3500-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download