Overview

overview

10

Static

static

8

viruss.xlsb

windows7_x64

10

viruss.xlsb

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-05-2021 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    viruss.xlsb

  • Size

    37KB

  • MD5

    719009a094c6f3155e7abc537078b943

  • SHA1

    c4b3109cf39b301b30e732db7493f3241236ed1f

  • SHA256

    a2420c7f0c7bf5d3c0893aff6b7440a09c0531632434d2bbb6f8ed98b04317b9

  • SHA512

    6a7ae98bfd2ba970d544566bafdf05ba6eb1ee7b9a19e2f7720f69952e8360bcaa6f532fc7f46b638b5174682b55953f48868245af6c57ab787f31d02d45d0a2

Score
10/10
raccoonc021300d0074689fde86c87568e215c582272721stealer

Malware Config

Extracted

Family

raccoon

Botnet

c021300d0074689fde86c87568e215c582272721

Attributes
  • url4cnc

    https://tttttt.me/ch0koalpengold

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 5 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\viruss.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe
      2⤵
      • Executes dropped EXE
      PID:3980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 752
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 856
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 736
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 896
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    MD5

    7a09cabba9c55ae1d5c1255dafa94366

    SHA1

    d39c39dd600e3081213ed627a13ed2b4003531f5

    SHA256

    833c8c34a6c6dcdeaeeff648f0db155c5401bc03f538b2153bdc3bc970bb4e1b

    SHA512

    cff43d8648cf339a04284fee3690cfffb6d02832290308fa930186f3470fb1bfb95f739b8ee724dcdcb341f923ac5536daa972932d1a34d4c49c4ca399fadacf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\test.exe
    MD5

    7a09cabba9c55ae1d5c1255dafa94366

    SHA1

    d39c39dd600e3081213ed627a13ed2b4003531f5

    SHA256

    833c8c34a6c6dcdeaeeff648f0db155c5401bc03f538b2153bdc3bc970bb4e1b

    SHA512

    cff43d8648cf339a04284fee3690cfffb6d02832290308fa930186f3470fb1bfb95f739b8ee724dcdcb341f923ac5536daa972932d1a34d4c49c4ca399fadacf

    Download Submit
  • memory/764-122-0x00007FF9BA050000-0x00007FF9BB13E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/764-117-0x00007FF999990000-0x00007FF9999A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/764-118-0x00007FF999990000-0x00007FF9999A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/764-121-0x00007FF999990000-0x00007FF9999A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/764-114-0x00007FF6EC300000-0x00007FF6EF8B6000-memory.dmp
    Filesize

    53.7MB

    Download
  • memory/764-123-0x00007FF9B8150000-0x00007FF9BA045000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/764-116-0x00007FF999990000-0x00007FF9999A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/764-115-0x00007FF999990000-0x00007FF9999A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3980-179-0x0000000000000000-mapping.dmp
    Download
  • memory/3980-182-0x00000000021F0000-0x0000000002281000-memory.dmp
    Filesize

    580KB

    Download
  • memory/3980-183-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download