Analysis
-
max time kernel
14s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 17:32
Static task
static1
Behavioral task
behavioral1
Sample
CHEAT.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CHEAT.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
CHEAT.bin.exe
-
Size
560KB
-
MD5
d93f322e915785edd46779a708e4f6d1
-
SHA1
778331a71313b0108d4fbbfa93304a441fc36c87
-
SHA256
59adfc0c805869287af49100c2ea65a80e6ebbaaf256f5e40d488b5dad38ee65
-
SHA512
b63fd4c5dcd3df8a17307ac55d302365f383d3834f469441ce586f92cbf0813b90ae85d8e0c4a0e78bbf3465943f3562958fc6618eeb4514ad3bd5c20d240fc9
Malware Config
Extracted
Family
raccoon
Botnet
392ed1d1c41045fcab62229aa831efc30cb93f05
Attributes
-
url4cnc
https://telete.in/jomrblack
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2632 created 744 2632 WerFault.exe CHEAT.bin.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2212 744 WerFault.exe CHEAT.bin.exe 2800 744 WerFault.exe CHEAT.bin.exe 4004 744 WerFault.exe CHEAT.bin.exe 204 744 WerFault.exe CHEAT.bin.exe 2632 744 WerFault.exe CHEAT.bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 4004 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 204 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2212 WerFault.exe Token: SeBackupPrivilege 2212 WerFault.exe Token: SeDebugPrivilege 2212 WerFault.exe Token: SeDebugPrivilege 2800 WerFault.exe Token: SeDebugPrivilege 4004 WerFault.exe Token: SeDebugPrivilege 204 WerFault.exe Token: SeDebugPrivilege 2632 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEAT.bin.exe"C:\Users\Admin\AppData\Local\Temp\CHEAT.bin.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 7322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 8442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 8202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 8682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 9002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/204-14-0x0000000004080000-0x0000000004081000-memory.dmpFilesize
4KB
-
memory/744-2-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/744-7-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/744-6-0x0000000000A60000-0x0000000000AF2000-memory.dmpFilesize
584KB
-
memory/2212-3-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/2212-4-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/2632-17-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/2800-8-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/4004-11-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB