Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 09:47

General

  • Target

    BankStatement-1675331125.xll

  • Size

    74KB

  • MD5

    5c287794bace944ead0a08e983d01189

  • SHA1

    96985e797089f12ce9d93f3c64014835ce93e427

  • SHA256

    283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

  • SHA512

    e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

  • SSDEEP

    768:6yNyZbRL5TDs0sxOUKBbZU1h4UG93elR/APDKILoJh39McLDIVdT1iHBmY:MZbJ5k0XUKBbZU12U43elwSf/IWBmY

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

raccoon

Botnet

470ed711dadd97d5f2669317d6d3ee7d

C2

http://102.130.113.39

rc4.plain

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Expand-Archive -Path "C:\Users\Admin\AppData\Local\Temp\mypictures.zip" -DestinationPath "C:\Users\Admin\AppData\Local\Temp\."
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4164
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /cstart C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4060
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            5⤵
              PID:520

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll
      Filesize

      74KB

      MD5

      5c287794bace944ead0a08e983d01189

      SHA1

      96985e797089f12ce9d93f3c64014835ce93e427

      SHA256

      283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

      SHA512

      e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

    • C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll
      Filesize

      74KB

      MD5

      5c287794bace944ead0a08e983d01189

      SHA1

      96985e797089f12ce9d93f3c64014835ce93e427

      SHA256

      283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

      SHA512

      e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

    • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
      Filesize

      826.2MB

      MD5

      2d7dc2b28e742731e5c1aca9ca2504c1

      SHA1

      dfdc514b64369b26b8d5be715ee26e3001d56769

      SHA256

      d38483ae38d39071c1c5926bb1940671d8a324915cc608e6b35df41f4826d6be

      SHA512

      aa100b61fd542846949d10f2716cf155b796f32060ca2c24e8216ef0336a87dfd5d16f0072fec062da7415e1977bb9a7b8304dc424e2419a14a55aa4f5ff0f95

    • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
      Filesize

      826.2MB

      MD5

      2d7dc2b28e742731e5c1aca9ca2504c1

      SHA1

      dfdc514b64369b26b8d5be715ee26e3001d56769

      SHA256

      d38483ae38d39071c1c5926bb1940671d8a324915cc608e6b35df41f4826d6be

      SHA512

      aa100b61fd542846949d10f2716cf155b796f32060ca2c24e8216ef0336a87dfd5d16f0072fec062da7415e1977bb9a7b8304dc424e2419a14a55aa4f5ff0f95

    • C:\Users\Admin\AppData\Local\Temp\mypictures.zip
      Filesize

      6.9MB

      MD5

      b145c7b31e020809beb62b5ff5c7b66b

      SHA1

      4bfae85a04739c8c3d39b9b60b5f2afd4db5c4cf

      SHA256

      a68bf293252d2e9f4e86646d8b0be474bf858bfb8dde2a787fd8f5e8aabd8af0

      SHA512

      84835b1a6936f6a4c0dea466936f3f1ce438a06636b22a6a7a966aa7d1e39f028a184a21ae8e6956ba30033982eaef3716cdade9485ba2b5040ca3f965788941

    • memory/520-176-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

    • memory/520-172-0x0000000000000000-mapping.dmp
    • memory/520-173-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

    • memory/520-175-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

    • memory/2276-132-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-169-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-138-0x00007FFD54480000-0x00007FFD54490000-memory.dmp
      Filesize

      64KB

    • memory/2276-137-0x00007FFD54480000-0x00007FFD54490000-memory.dmp
      Filesize

      64KB

    • memory/2276-136-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-135-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-166-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-167-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-134-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-168-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/2276-133-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp
      Filesize

      64KB

    • memory/3424-148-0x0000000000000000-mapping.dmp
    • memory/4060-170-0x0000000007CA0000-0x000000000831A000-memory.dmp
      Filesize

      6.5MB

    • memory/4060-165-0x00000000073A0000-0x0000000007416000-memory.dmp
      Filesize

      472KB

    • memory/4060-171-0x0000000007640000-0x000000000765A000-memory.dmp
      Filesize

      104KB

    • memory/4060-156-0x0000000000000000-mapping.dmp
    • memory/4060-157-0x0000000004CC0000-0x0000000004CF6000-memory.dmp
      Filesize

      216KB

    • memory/4060-158-0x0000000005420000-0x0000000005A48000-memory.dmp
      Filesize

      6.2MB

    • memory/4060-159-0x00000000052E0000-0x0000000005302000-memory.dmp
      Filesize

      136KB

    • memory/4060-160-0x0000000005380000-0x00000000053E6000-memory.dmp
      Filesize

      408KB

    • memory/4060-161-0x0000000005C80000-0x0000000005CE6000-memory.dmp
      Filesize

      408KB

    • memory/4060-162-0x00000000062B0000-0x00000000062CE000-memory.dmp
      Filesize

      120KB

    • memory/4060-163-0x00000000067D0000-0x0000000006814000-memory.dmp
      Filesize

      272KB

    • memory/4164-142-0x00000193856B0000-0x00000193856D2000-memory.dmp
      Filesize

      136KB

    • memory/4164-147-0x00007FFD6E250000-0x00007FFD6ED11000-memory.dmp
      Filesize

      10.8MB

    • memory/4164-146-0x00007FFD6E250000-0x00007FFD6ED11000-memory.dmp
      Filesize

      10.8MB

    • memory/4164-144-0x000001939E130000-0x000001939E13A000-memory.dmp
      Filesize

      40KB

    • memory/4164-143-0x000001939E140000-0x000001939E152000-memory.dmp
      Filesize

      72KB

    • memory/4164-141-0x0000000000000000-mapping.dmp
    • memory/4384-155-0x00000000052C0000-0x00000000052CA000-memory.dmp
      Filesize

      40KB

    • memory/4384-154-0x0000000005200000-0x0000000005292000-memory.dmp
      Filesize

      584KB

    • memory/4384-153-0x00000000057B0000-0x0000000005D54000-memory.dmp
      Filesize

      5.6MB

    • memory/4384-152-0x0000000000750000-0x000000000083C000-memory.dmp
      Filesize

      944KB

    • memory/4384-149-0x0000000000000000-mapping.dmp