Analysis
-
max time kernel
15s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 21:26
Static task
static1
Behavioral task
behavioral1
Sample
7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe
-
Size
542KB
-
MD5
23fed1c9856f4e0565d76ba346197dbc
-
SHA1
ba795084b2b4b46b9f66fddc1fd908cc87fd852b
-
SHA256
7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b737a2c0b8b1d7d04d5c
-
SHA512
ff807b61069827af82fa727bd52835ad4f84139c6ed4900e6043711f5f2ad85cac54696618781da93e835c04a2c4377ed65e934b5cfdc6588129bf177564b7aa
Malware Config
Extracted
Family
raccoon
Botnet
a3a85b69314053c3bb015532d1a960a3d08baeb8
Attributes
-
url4cnc
https://telete.in/baudemars
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1484 created 784 1484 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3392 784 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe 2316 784 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe 1848 784 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe 2384 784 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe 1484 784 WerFault.exe 7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 3392 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3392 WerFault.exe Token: SeBackupPrivilege 3392 WerFault.exe Token: SeDebugPrivilege 3392 WerFault.exe Token: SeDebugPrivilege 2316 WerFault.exe Token: SeDebugPrivilege 1848 WerFault.exe Token: SeDebugPrivilege 2384 WerFault.exe Token: SeDebugPrivilege 1484 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe"C:\Users\Admin\AppData\Local\Temp\7052ad910ee7b7f7b15c86e59fc9b09d83b6501bf929b.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 7362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 8202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 8962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 9202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken