Analysis
-
max time kernel
13s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-02-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe
-
Size
542KB
-
MD5
e48ba1147b75508b7f58cace584373cb
-
SHA1
b24be163878f851e0b9bc5da8967879d5ff3d846
-
SHA256
3d3112ce7c1a80e0378b15c7084b1b49a9805a5e47a85a97acdd7841d0a9b40b
-
SHA512
5874e76db5ea79bf7128d50f80c6f9c22d79fd78f75b72a2db6131a7daa743f5d60e15f7af6a8767eaceec6dfb84b55a1c8f4bb57688a674aba88035f06b7060
Malware Config
Extracted
raccoon
99fdcb30af520f176f0e14e858c8bb23c13330d9
-
url4cnc
https://tttttt.me/jrrand0mer
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1936 created 8 1936 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1772 8 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe 2160 8 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe 2624 8 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe 396 8 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe 1936 8 WerFault.exe SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 1772 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2160 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 1772 WerFault.exe Token: SeBackupPrivilege 1772 WerFault.exe Token: SeDebugPrivilege 1772 WerFault.exe Token: SeDebugPrivilege 2160 WerFault.exe Token: SeDebugPrivilege 2624 WerFault.exe Token: SeDebugPrivilege 396 WerFault.exe Token: SeDebugPrivilege 1936 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.15546.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-2-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/8-3-0x00000000009A0000-0x0000000000A32000-memory.dmpFilesize
584KB
-
memory/8-4-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/396-14-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/1772-5-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1772-6-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1936-17-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2160-8-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/2624-11-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB