Analysis
-
max time kernel
89s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-06-2021 22:14
Static task
static1
Behavioral task
behavioral1
Sample
eufive_20210616-233809.exe
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eufive_20210616-233809.exe
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
eufive_20210616-233809.exe
-
Size
572KB
-
MD5
aff24adcac0d43fdedf7f1fca5010d43
-
SHA1
9b085a92dd390a87969054750fc4df0f3ab3ca23
-
SHA256
22229ae10d0454005bd584838fc73c39027751e8953727d77cba63191ff9b3ce
-
SHA512
4ae5763f41e9d86b04bc1cde044afaa39a44e911bad7b07df0e252445bd602026192856014a98662ce92788620689511169c03c9bd011c02d61f025631edc2a0
Malware Config
Extracted
Family
raccoon
Botnet
3d7990f080e9dcb56104447e3789dec4380efc8b
Attributes
-
url4cnc
https://telete.in/jvadikkamushkin
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2816 created 3256 2816 WerFault.exe eufive_20210616-233809.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2816 3256 WerFault.exe eufive_20210616-233809.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe 2816 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2816 WerFault.exe Token: SeBackupPrivilege 2816 WerFault.exe Token: SeDebugPrivilege 2816 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eufive_20210616-233809.exe"C:\Users\Admin\AppData\Local\Temp\eufive_20210616-233809.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 11602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken