Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-04-2021 14:02
Static task
static1
Behavioral task
behavioral1
Sample
880dfcc2cd155e490aa61bce02ab4500.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
880dfcc2cd155e490aa61bce02ab4500.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
880dfcc2cd155e490aa61bce02ab4500.exe
-
Size
523KB
-
MD5
880dfcc2cd155e490aa61bce02ab4500
-
SHA1
71b77ae9b2c9471a09fc139e36ae8a91b68f54b4
-
SHA256
4b88caf98ce096cc16a0de0921c17f994215915b47e79bc3f5cad4c9642102cf
-
SHA512
92858ec16a7bae0ae5e3d28cf5e55d99b4ccdb560364e0a98f2c8eafa4aa6cd9c9a4e9f2cb4a924b8f8220812dddf136e89b6eb61d81059d5105d722b6f68fc5
Malware Config
Extracted
Family
raccoon
Botnet
fe080c9bfcbe54ed632d9562ae158e815dbdc717
Attributes
-
url4cnc
https://telete.in/jdiamond13
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1984 created 852 1984 WerFault.exe 880dfcc2cd155e490aa61bce02ab4500.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1984 852 WerFault.exe 880dfcc2cd155e490aa61bce02ab4500.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe 1984 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1984 WerFault.exe Token: SeBackupPrivilege 1984 WerFault.exe Token: SeDebugPrivilege 1984 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\880dfcc2cd155e490aa61bce02ab4500.exe"C:\Users\Admin\AppData\Local\Temp\880dfcc2cd155e490aa61bce02ab4500.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 11962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken