Overview

overview

10

Static

static

BankStatem...25.xll

windows7-x64

7

BankStatem...25.xll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BankStatement-1675331125.xll

  • Size

    74KB

  • MD5

    5c287794bace944ead0a08e983d01189

  • SHA1

    96985e797089f12ce9d93f3c64014835ce93e427

  • SHA256

    283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

  • SHA512

    e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

  • SSDEEP

    768:6yNyZbRL5TDs0sxOUKBbZU1h4UG93elR/APDKILoJh39McLDIVdT1iHBmY:MZbJ5k0XUKBbZU12U43elwSf/IWBmY

Score
10/10
raccoon470ed711dadd97d5f2669317d6d3ee7dstealer

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

raccoon

Botnet

470ed711dadd97d5f2669317d6d3ee7d

C2

http://102.130.113.39

rc4.plain

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Expand-Archive -Path "C:\Users\Admin\AppData\Local\Temp\mypictures.zip" -DestinationPath "C:\Users\Admin\AppData\Local\Temp\."
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /cstart C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            5⤵
              PID:2472
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
              5⤵
                PID:5060

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll
        Filesize

        74KB

        MD5

        5c287794bace944ead0a08e983d01189

        SHA1

        96985e797089f12ce9d93f3c64014835ce93e427

        SHA256

        283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

        SHA512

        e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\BankStatement-1675331125.xll
        Filesize

        74KB

        MD5

        5c287794bace944ead0a08e983d01189

        SHA1

        96985e797089f12ce9d93f3c64014835ce93e427

        SHA256

        283e57e344d4c651c214a7d92c560129b99196c444df3afda07d3bd03c73d578

        SHA512

        e07791637149e4d11f72913b15e34b63b60aa0baa6613e69e209dde7d575cbed8ce564b4a4cae8ba5dd2b046274c45e7f532d50712f77e3bf32e9767eaa72a3d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        Filesize

        826.2MB

        MD5

        2d7dc2b28e742731e5c1aca9ca2504c1

        SHA1

        dfdc514b64369b26b8d5be715ee26e3001d56769

        SHA256

        d38483ae38d39071c1c5926bb1940671d8a324915cc608e6b35df41f4826d6be

        SHA512

        aa100b61fd542846949d10f2716cf155b796f32060ca2c24e8216ef0336a87dfd5d16f0072fec062da7415e1977bb9a7b8304dc424e2419a14a55aa4f5ff0f95

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        Filesize

        826.2MB

        MD5

        2d7dc2b28e742731e5c1aca9ca2504c1

        SHA1

        dfdc514b64369b26b8d5be715ee26e3001d56769

        SHA256

        d38483ae38d39071c1c5926bb1940671d8a324915cc608e6b35df41f4826d6be

        SHA512

        aa100b61fd542846949d10f2716cf155b796f32060ca2c24e8216ef0336a87dfd5d16f0072fec062da7415e1977bb9a7b8304dc424e2419a14a55aa4f5ff0f95

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\mypictures.zip
        Filesize

        6.9MB

        MD5

        b145c7b31e020809beb62b5ff5c7b66b

        SHA1

        4bfae85a04739c8c3d39b9b60b5f2afd4db5c4cf

        SHA256

        a68bf293252d2e9f4e86646d8b0be474bf858bfb8dde2a787fd8f5e8aabd8af0

        SHA512

        84835b1a6936f6a4c0dea466936f3f1ce438a06636b22a6a7a966aa7d1e39f028a184a21ae8e6956ba30033982eaef3716cdade9485ba2b5040ca3f965788941

        Download Submit
      • memory/1308-155-0x0000000005500000-0x000000000550A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1308-154-0x0000000005420000-0x00000000054B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1308-153-0x0000000005A90000-0x0000000006034000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1308-152-0x0000000000990000-0x0000000000A7C000-memory.dmp
        Filesize

        944KB

        Download
      • memory/1308-149-0x0000000000000000-mapping.dmp
        Download
      • memory/2144-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2312-166-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-134-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-132-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-167-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-168-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-165-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-133-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-138-0x00007FFF44BD0000-0x00007FFF44BE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-137-0x00007FFF44BD0000-0x00007FFF44BE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-136-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-135-0x00007FFF46C30000-0x00007FFF46C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2472-172-0x0000000000000000-mapping.dmp
        Download
      • memory/2880-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2880-142-0x0000023AA1720000-0x0000023AA1742000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2880-147-0x00007FFF5D6A0000-0x00007FFF5E161000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2880-146-0x00007FFF5D6A0000-0x00007FFF5E161000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2880-143-0x0000023AA1C00000-0x0000023AA1C12000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2880-144-0x0000023AA1A80000-0x0000023AA1A8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3628-160-0x0000000004CA0000-0x0000000004D06000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3628-162-0x0000000005C70000-0x0000000005C8E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3628-164-0x0000000005EB0000-0x0000000005EF4000-memory.dmp
        Filesize

        272KB

        Download
      • memory/3628-161-0x0000000005440000-0x00000000054A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3628-159-0x0000000004C00000-0x0000000004C22000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3628-158-0x0000000004E10000-0x0000000005438000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3628-157-0x0000000004640000-0x0000000004676000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3628-169-0x0000000006E30000-0x0000000006EA6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3628-170-0x0000000007530000-0x0000000007BAA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3628-171-0x0000000006250000-0x000000000626A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3628-156-0x0000000000000000-mapping.dmp
        Download
      • memory/5060-173-0x0000000000000000-mapping.dmp
        Download
      • memory/5060-174-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/5060-176-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/5060-177-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

        Download