Overview

overview

10

Static

static

1

BankStatem...03.xll

windows10-1703-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-02-2023 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BankStatement-1675357103.xll

  • Size

    75KB

  • MD5

    3b4e9b099644a02a9f8e14041cfc985a

  • SHA1

    4eec7644f504459704e0af6d9d1795a6aba309e5

  • SHA256

    999fe8e715aa1c1cf5554c6848ecaa3d86b5bbd73bd116452a85ec5fa92a9d4a

  • SHA512

    272c46937b3ec4bc7290892c8f2840183ee1da9f9ed9123ffdae4c0884db5bfd66cb587b4233b9448a7e54e2dc7e212bc59bd92eedb3a4e6b1cae276a5e9b286

  • SSDEEP

    1536:HrWxe1H0XUKfwZeJ2Uf3CZxf7vrk6exBmY:yxeRuUKfwZ0pf3CZxj0Bb

Score
10/10
raccoon470ed711dadd97d5f2669317d6d3ee7dspywarestealer

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

raccoon

Botnet

470ed711dadd97d5f2669317d6d3ee7d

C2

http://102.130.113.39

rc4.plain

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BankStatement-1675357103.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Expand-Archive -Path "C:\Users\Admin\AppData\Local\Temp\mypictures.zip" -DestinationPath "C:\Users\Admin\AppData\Local\Temp\."
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /cstart C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            5⤵
            • Loads dropped DLL
            PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
    Filesize

    588.0MB

    MD5

    5647122a97d50486b62834e8b7579332

    SHA1

    7ba835b20d3771060b24731dca888f8313f93460

    SHA256

    9707e5f5701663dd69e2f33612118c2414bff1fbdcdf6f120aeceda34eb8d766

    SHA512

    5c524db0bee412bb0745b89d29bc1379f153d7b6c1af2564c953cfadf1473a8771bbc6f4446d24e59fd0c62857774ec8a83a25ffb43a63cc5d8047e531b9b625

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\filesetup11.5.6\filesetup11.5.6.exe
    Filesize

    629.8MB

    MD5

    7e177b8cc99499db7a63ab398dfee969

    SHA1

    0e433c309f39403fef8575e5a7f482630190c047

    SHA256

    dad08c341eee8862da2a3092834bf3f7775c6305b73fc38b7460485dbc5676e5

    SHA512

    b05794500a33eb730ed568b46b5626d43eb93b918516ecb12bef1baf97a9cfe414fb9f88fab637f9ee92937289d7210654f3fd99c4e9ba5951b2f6d4efb396f8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mypictures.zip
    Filesize

    6.9MB

    MD5

    b145c7b31e020809beb62b5ff5c7b66b

    SHA1

    4bfae85a04739c8c3d39b9b60b5f2afd4db5c4cf

    SHA256

    a68bf293252d2e9f4e86646d8b0be474bf858bfb8dde2a787fd8f5e8aabd8af0

    SHA512

    84835b1a6936f6a4c0dea466936f3f1ce438a06636b22a6a7a966aa7d1e39f028a184a21ae8e6956ba30033982eaef3716cdade9485ba2b5040ca3f965788941

    Download Submit
  • \Users\Admin\AppData\LocalLow\mozglue.dll
    Filesize

    612KB

    MD5

    f07d9977430e762b563eaadc2b94bbfa

    SHA1

    da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

    SHA256

    4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

    SHA512

    6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

    Download Submit
  • \Users\Admin\AppData\LocalLow\nss3.dll
    Filesize

    1.9MB

    MD5

    f67d08e8c02574cbc2f1122c53bfb976

    SHA1

    6522992957e7e4d074947cad63189f308a80fcf2

    SHA256

    c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

    SHA512

    2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

    Download Submit
  • \Users\Admin\AppData\LocalLow\sqlite3.dll
    Filesize

    1.0MB

    MD5

    dbf4f8dcefb8056dc6bae4b67ff810ce

    SHA1

    bbac1dd8a07c6069415c04b62747d794736d0689

    SHA256

    47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

    SHA512

    b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\BankStatement-1675357103.xll
    Filesize

    75KB

    MD5

    3b4e9b099644a02a9f8e14041cfc985a

    SHA1

    4eec7644f504459704e0af6d9d1795a6aba309e5

    SHA256

    999fe8e715aa1c1cf5554c6848ecaa3d86b5bbd73bd116452a85ec5fa92a9d4a

    SHA512

    272c46937b3ec4bc7290892c8f2840183ee1da9f9ed9123ffdae4c0884db5bfd66cb587b4233b9448a7e54e2dc7e212bc59bd92eedb3a4e6b1cae276a5e9b286

    Download Submit
  • \Users\Admin\AppData\Local\Temp\BankStatement-1675357103.xll
    Filesize

    75KB

    MD5

    3b4e9b099644a02a9f8e14041cfc985a

    SHA1

    4eec7644f504459704e0af6d9d1795a6aba309e5

    SHA256

    999fe8e715aa1c1cf5554c6848ecaa3d86b5bbd73bd116452a85ec5fa92a9d4a

    SHA512

    272c46937b3ec4bc7290892c8f2840183ee1da9f9ed9123ffdae4c0884db5bfd66cb587b4233b9448a7e54e2dc7e212bc59bd92eedb3a4e6b1cae276a5e9b286

    Download Submit
  • memory/1496-312-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-508-0x0000000008E50000-0x0000000008EC6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1924-444-0x0000000007980000-0x0000000007CD0000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1924-380-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-417-0x0000000000D00000-0x0000000000D36000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1924-422-0x0000000007270000-0x0000000007898000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1924-440-0x0000000006F50000-0x0000000006F72000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1924-442-0x0000000006FF0000-0x0000000007056000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1924-443-0x00000000070D0000-0x0000000007136000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1924-447-0x0000000007CF0000-0x0000000007D0C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1924-448-0x0000000008230000-0x000000000827B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1924-466-0x0000000008D90000-0x0000000008DCC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1924-513-0x000000000A2C0000-0x000000000A938000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1924-514-0x00000000099F0000-0x0000000009A0A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1924-516-0x0000000009CB0000-0x0000000009CF6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3512-120-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3512-130-0x00007FFF59340000-0x00007FFF59350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3512-129-0x00007FFF59340000-0x00007FFF59350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3512-118-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3512-117-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3512-119-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4488-594-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4488-521-0x00000000004088ED-mapping.dmp
    Download
  • memory/4488-546-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4488-573-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4796-268-0x000001C34C1C0000-0x000001C34C236000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4796-260-0x0000000000000000-mapping.dmp
    Download
  • memory/4796-265-0x000001C34C010000-0x000001C34C032000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4796-308-0x000001C34C170000-0x000001C34C17A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4796-295-0x000001C34C180000-0x000001C34C192000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4880-348-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-368-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-338-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-339-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-340-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-343-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-344-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-342-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-341-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-345-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-346-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-347-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-336-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-349-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-350-0x0000000000280000-0x000000000036C000-memory.dmp
    Filesize

    944KB

    Download
  • memory/4880-352-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-351-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-353-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-354-0x0000000005060000-0x000000000555E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4880-355-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-356-0x0000000004C00000-0x0000000004C92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4880-357-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-358-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-359-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-360-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-363-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-365-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-364-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-362-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-361-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-366-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-337-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-367-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-369-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-370-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-371-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-372-0x0000000004BF0000-0x0000000004BFA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4880-373-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-375-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-374-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-376-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-377-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-335-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-334-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-333-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-332-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-331-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-330-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-329-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-328-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-327-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-326-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-325-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-324-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-322-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-321-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-320-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-319-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-318-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-317-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-316-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-315-0x0000000077B00000-0x0000000077C8E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4880-313-0x0000000000000000-mapping.dmp
    Download