Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-03-2021 20:16
Static task
static1
Behavioral task
behavioral1
Sample
df49ccf5c15760b4162ee2e7bc3bf1cc.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
df49ccf5c15760b4162ee2e7bc3bf1cc.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
df49ccf5c15760b4162ee2e7bc3bf1cc.exe
-
Size
525KB
-
MD5
df49ccf5c15760b4162ee2e7bc3bf1cc
-
SHA1
c55bcfb1d4221252d9474fd3aa8627f1296daef0
-
SHA256
924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
-
SHA512
15fda008804d8a9bc65bf115e6033b6de5b6e34391449a103e1b14e797df359272fcee6170df05d1d120826eb873a50a8dc1d29a3e9a54e18c8d3212deb2fece
Malware Config
Extracted
Family
raccoon
Botnet
2ce901d964b370c5ccda7e4d68354ba040db8218
Attributes
-
url4cnc
https://telete.in/tomarsjsmith3
rc4.plain
rc4.plain
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 396 1240 WerFault.exe df49ccf5c15760b4162ee2e7bc3bf1cc.exe -
Processes:
df49ccf5c15760b4162ee2e7bc3bf1cc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 df49ccf5c15760b4162ee2e7bc3bf1cc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 df49ccf5c15760b4162ee2e7bc3bf1cc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe 396 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 396 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
df49ccf5c15760b4162ee2e7bc3bf1cc.exedescription pid process target process PID 1240 wrote to memory of 396 1240 df49ccf5c15760b4162ee2e7bc3bf1cc.exe WerFault.exe PID 1240 wrote to memory of 396 1240 df49ccf5c15760b4162ee2e7bc3bf1cc.exe WerFault.exe PID 1240 wrote to memory of 396 1240 df49ccf5c15760b4162ee2e7bc3bf1cc.exe WerFault.exe PID 1240 wrote to memory of 396 1240 df49ccf5c15760b4162ee2e7bc3bf1cc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df49ccf5c15760b4162ee2e7bc3bf1cc.exe"C:\Users\Admin\AppData\Local\Temp\df49ccf5c15760b4162ee2e7bc3bf1cc.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 5162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-6-0x0000000000000000-mapping.dmp
-
memory/396-7-0x00000000020F0000-0x0000000002101000-memory.dmpFilesize
68KB
-
memory/396-8-0x00000000020F0000-0x0000000002101000-memory.dmpFilesize
68KB
-
memory/396-11-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1240-2-0x0000000000A70000-0x0000000000A81000-memory.dmpFilesize
68KB
-
memory/1240-3-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1240-4-0x00000000008F0000-0x0000000000981000-memory.dmpFilesize
580KB
-
memory/1240-5-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB