Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 23:21
Static task
static1
Behavioral task
behavioral1
Sample
BankStatement009810.xlsb
Resource
win7v20210408
Behavioral task
behavioral2
Sample
BankStatement009810.xlsb
Resource
win10v20210410
General
-
Target
BankStatement009810.xlsb
-
Size
37KB
-
MD5
4bedb6631269e591cdfe5c981cd4d219
-
SHA1
46dfc240038bb75928ccc8153781a6b0e5957904
-
SHA256
bfb37c9adc809e880f56dd10898b5425242330d6e2fa69e014a98e6dc18ce416
-
SHA512
2adbb8c384711161029f129ddd9de0108af47245f01fbebc7670f1d864aeeb47398b5a01fed65985ca4db42f4fa6df33dd3c5e8142edf6788e569ae898d50ad6
Malware Config
Extracted
raccoon
c021300d0074689fde86c87568e215c582272721
-
url4cnc
https://tttttt.me/ch0koalpengold
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2084 created 576 2084 WerFault.exe test.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
test.exepid process 576 test.exe -
Loads dropped DLL 1 IoCs
Processes:
test.exepid process 576 test.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 32 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4076 576 WerFault.exe test.exe 1300 576 WerFault.exe test.exe 3940 576 WerFault.exe test.exe 4056 576 WerFault.exe test.exe 1340 576 WerFault.exe test.exe 3800 576 WerFault.exe test.exe 412 576 WerFault.exe test.exe 3788 576 WerFault.exe test.exe 4080 576 WerFault.exe test.exe 3184 576 WerFault.exe test.exe 1308 576 WerFault.exe test.exe 3960 576 WerFault.exe test.exe 3716 576 WerFault.exe test.exe 3136 576 WerFault.exe test.exe 412 576 WerFault.exe test.exe 3788 576 WerFault.exe test.exe 1876 576 WerFault.exe test.exe 4000 576 WerFault.exe test.exe 3672 576 WerFault.exe test.exe 3980 576 WerFault.exe test.exe 3752 576 WerFault.exe test.exe 3800 576 WerFault.exe test.exe 1288 576 WerFault.exe test.exe 4052 576 WerFault.exe test.exe 4000 576 WerFault.exe test.exe 3672 576 WerFault.exe test.exe 2252 576 WerFault.exe test.exe 1340 576 WerFault.exe test.exe 2192 576 WerFault.exe test.exe 3828 576 WerFault.exe test.exe 4020 576 WerFault.exe test.exe 2084 576 WerFault.exe test.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 4076 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4076 WerFault.exe Token: SeBackupPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 4076 WerFault.exe Token: SeDebugPrivilege 1300 WerFault.exe Token: SeDebugPrivilege 3940 WerFault.exe Token: SeDebugPrivilege 4056 WerFault.exe Token: SeDebugPrivilege 1340 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 412 WerFault.exe Token: SeDebugPrivilege 3788 WerFault.exe Token: SeDebugPrivilege 4080 WerFault.exe Token: SeDebugPrivilege 3184 WerFault.exe Token: SeDebugPrivilege 1308 WerFault.exe Token: SeDebugPrivilege 3960 WerFault.exe Token: SeDebugPrivilege 3716 WerFault.exe Token: SeDebugPrivilege 3136 WerFault.exe Token: SeDebugPrivilege 412 WerFault.exe Token: SeDebugPrivilege 3788 WerFault.exe Token: SeDebugPrivilege 1876 WerFault.exe Token: SeDebugPrivilege 4000 WerFault.exe Token: SeDebugPrivilege 3672 WerFault.exe Token: SeDebugPrivilege 3980 WerFault.exe Token: SeDebugPrivilege 3752 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 1288 WerFault.exe Token: SeDebugPrivilege 4052 WerFault.exe Token: SeDebugPrivilege 4000 WerFault.exe Token: SeDebugPrivilege 3672 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 1340 WerFault.exe Token: SeDebugPrivilege 2192 WerFault.exe Token: SeDebugPrivilege 3828 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 2084 WerFault.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE 2256 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 2256 wrote to memory of 576 2256 EXCEL.EXE test.exe PID 2256 wrote to memory of 576 2256 EXCEL.EXE test.exe PID 2256 wrote to memory of 576 2256 EXCEL.EXE test.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BankStatement009810.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 7483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 7603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 9123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 9283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12243⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 13323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 13003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 13963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12883⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14643⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 13763⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14483⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15563⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14883⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14043⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 12963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14683⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 16523⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 17163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14123⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 7483⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 14163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15243⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 16123⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 17243⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15803⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 16843⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
d0496b3ba31e1999123a3537275f89ed
SHA1433fe5a2241f7fc909f7e5de76900c7752dd823f
SHA256de7ccff53ca27db1ed1e3e0d0df07f2e3364ec6b7e60622dc7726cba56831eb7
SHA51268b59d4502658f522ec72e44cc61b255299ebcafb6a497089356e4f38e08a870c357393edf6ae379b09b60cc16a0c89b9268d004e80fde03be2e5d2e2c58354a
-
C:\Users\Admin\AppData\Local\Temp\test.exeMD5
d0496b3ba31e1999123a3537275f89ed
SHA1433fe5a2241f7fc909f7e5de76900c7752dd823f
SHA256de7ccff53ca27db1ed1e3e0d0df07f2e3364ec6b7e60622dc7726cba56831eb7
SHA51268b59d4502658f522ec72e44cc61b255299ebcafb6a497089356e4f38e08a870c357393edf6ae379b09b60cc16a0c89b9268d004e80fde03be2e5d2e2c58354a
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/576-179-0x0000000000000000-mapping.dmp
-
memory/576-183-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/576-182-0x00000000020B0000-0x0000000002141000-memory.dmpFilesize
580KB
-
memory/2256-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-123-0x00007FF878D10000-0x00007FF87AC05000-memory.dmpFilesize
31.0MB
-
memory/2256-122-0x00007FF87AC10000-0x00007FF87BCFE000-memory.dmpFilesize
16.9MB
-
memory/2256-121-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-114-0x00007FF6B3180000-0x00007FF6B6736000-memory.dmpFilesize
53.7MB
-
memory/2256-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2256-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB