Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-04-2021 15:00
Static task
static1
Behavioral task
behavioral1
Sample
76b9b31c27624c0351e3c48dadc4151d.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
76b9b31c27624c0351e3c48dadc4151d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
76b9b31c27624c0351e3c48dadc4151d.exe
-
Size
525KB
-
MD5
76b9b31c27624c0351e3c48dadc4151d
-
SHA1
9f60021db4d96cddba929ee51d3906e05146bd85
-
SHA256
ec727ae162ab240cc61660b11b1063b148fde2209b1ae62b18ff0f3283696fc1
-
SHA512
b0f0be1b11723b43ca9ffbae662fd53c01fda1d8dec10169adbd837cfb0a876c32717412f3ac0d665c5bd698bb4ee754a4ec14d99b6685980cb5f6558f2ec577
Malware Config
Extracted
Family
raccoon
Botnet
5442f281fb8a4ac6d19427ed61032791e65b8e1b
Attributes
-
url4cnc
https://telete.in/jdiamond13
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3680 created 636 3680 WerFault.exe 76b9b31c27624c0351e3c48dadc4151d.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3680 636 WerFault.exe 76b9b31c27624c0351e3c48dadc4151d.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3680 WerFault.exe Token: SeBackupPrivilege 3680 WerFault.exe Token: SeDebugPrivilege 3680 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b9b31c27624c0351e3c48dadc4151d.exe"C:\Users\Admin\AppData\Local\Temp\76b9b31c27624c0351e3c48dadc4151d.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 11722⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken