Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-02-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
-
Size
542KB
-
MD5
060bd14ae501d8dae94cc73672ab195b
-
SHA1
e16be2044b73bfb717d92d13968eac473d64b8fc
-
SHA256
757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
-
SHA512
4c39ee69a9e1f8511c8c37a714cd2e9a44f5223fa9c356a8c0d466d273caeba2c391107822111de63ebfbca53b4a4601e90f03d5317914dc53192ef8fef28704
Malware Config
Extracted
raccoon
aef61793e586ca15c24106ac17a2a83a30fb0a25
-
url4cnc
https://tttttt.me/h_scroogenews_1
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 636 created 4688 636 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3012 4688 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe 3232 4688 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe 4068 4688 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe 68 4688 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe 636 4688 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 3232 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 68 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3012 WerFault.exe Token: SeBackupPrivilege 3012 WerFault.exe Token: SeDebugPrivilege 3012 WerFault.exe Token: SeDebugPrivilege 3232 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 68 WerFault.exe Token: SeDebugPrivilege 636 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 7362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 8522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 7402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 7122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 8642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/68-14-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/636-17-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/3012-5-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/3012-6-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/3232-8-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/4068-11-0x00000000043F0000-0x00000000043F1000-memory.dmpFilesize
4KB
-
memory/4688-2-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/4688-3-0x0000000000AA0000-0x0000000000B32000-memory.dmpFilesize
584KB
-
memory/4688-4-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB