Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-06-2021 18:36
Static task
static1
Behavioral task
behavioral1
Sample
13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
Resource
win10v20210408
General
-
Target
13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe
-
Size
396KB
-
MD5
01f848f1bea5fee38c9b3ace82d48517
-
SHA1
bd35c42b99d9c5e4e136505030f3d8f62f33d04f
-
SHA256
13333d8111107cce84e50c0264e4b3ffa7af34802de26de7d229ca86782db674
-
SHA512
e86e4f88f5ba7d1dcfad9f04b937dbc4c858b4bfdf51f94fe89f4e37d210b23aec40624a5b7c42f9d66d096dc174dcb6d30bae54d06cfe603ff6a837d707786f
Malware Config
Extracted
raccoon
16992cd33145ccbb6feeacb4e84400a56448fa14
-
url4cnc
https://telete.in/baudemars
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1824 2016 WerFault.exe 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe -
Processes:
13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1824 WerFault.exe 1824 WerFault.exe 1824 WerFault.exe 1824 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1824 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exedescription pid process target process PID 2016 wrote to memory of 1824 2016 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe WerFault.exe PID 2016 wrote to memory of 1824 2016 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe WerFault.exe PID 2016 wrote to memory of 1824 2016 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe WerFault.exe PID 2016 wrote to memory of 1824 2016 13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe"C:\Users\Admin\AppData\Local\Temp\13333D8111107CCE84E50C0264E4B3FFA7AF34802DE26.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 5202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-62-0x0000000000000000-mapping.dmp
-
memory/1824-63-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/2016-59-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/2016-60-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/2016-61-0x0000000000400000-0x0000000002BD3000-memory.dmpFilesize
39.8MB