Analysis
-
max time kernel
12s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-03-2021 22:13
Static task
static1
Behavioral task
behavioral1
Sample
ee33f2ce833cf19c08b614e209a76181.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ee33f2ce833cf19c08b614e209a76181.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ee33f2ce833cf19c08b614e209a76181.exe
-
Size
478KB
-
MD5
ee33f2ce833cf19c08b614e209a76181
-
SHA1
ac3a9e34b89a2c209853e19d8400e3ea5ff5dbdd
-
SHA256
094def68b3d08f93556bc544358eec1e6e63ae768fbff967a2f404cfe944e05b
-
SHA512
4492927e51e8d84aea7a2461be643436a0a5b23f2cb87562142128b15fd2cab14812f46291f1a27d0b54a29e3b772ea11564bbed800c7f4313ed9e39dfdfd39c
Malware Config
Extracted
Family
raccoon
Botnet
a3a85b69314053c3bb015532d1a960a3d08baeb8
Attributes
-
url4cnc
https://telete.in/baudemars
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2792 created 1032 2792 WerFault.exe ee33f2ce833cf19c08b614e209a76181.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2792 1032 WerFault.exe ee33f2ce833cf19c08b614e209a76181.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2792 WerFault.exe Token: SeBackupPrivilege 2792 WerFault.exe Token: SeDebugPrivilege 2792 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee33f2ce833cf19c08b614e209a76181.exe"C:\Users\Admin\AppData\Local\Temp\ee33f2ce833cf19c08b614e209a76181.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 11402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-2-0x0000000003040000-0x0000000003041000-memory.dmpFilesize
4KB
-
memory/1032-3-0x0000000003040000-0x00000000030D2000-memory.dmpFilesize
584KB
-
memory/1032-4-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2792-5-0x00000000042D0000-0x00000000042D1000-memory.dmpFilesize
4KB
-
memory/2792-6-0x00000000042D0000-0x00000000042D1000-memory.dmpFilesize
4KB