Analysis
-
max time kernel
17s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-08-2021 21:25
Static task
static1
Behavioral task
behavioral1
Sample
85fb42a57db662ade20dbc90dd2abccb.exe
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
85fb42a57db662ade20dbc90dd2abccb.exe
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
85fb42a57db662ade20dbc90dd2abccb.exe
-
Size
462KB
-
MD5
85fb42a57db662ade20dbc90dd2abccb
-
SHA1
eb1718103d030704bfb0959bb43f38ece27f94bd
-
SHA256
d260c05305ca6eda79e4aa38377a16df0bc5861ee1f79187c8838d93a06f2175
-
SHA512
12c43b3c25f7c594f38202ad46f655caeb98ea33aba4801cfcce84f98adcef406201b950e02b5562e330d86e5cf9e6dd02f0730df43b87f0c6b430ef9ba396c9
Malware Config
Extracted
Family
raccoon
Botnet
cd8dc1031358b1aec55cc6bc447df1018b068607
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/900-114-0x0000000004990000-0x0000000004A21000-memory.dmp family_raccoon behavioral2/memory/900-115-0x0000000000400000-0x0000000002D01000-memory.dmp family_raccoon -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2368 created 900 2368 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3844 900 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe 2864 900 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe 2648 900 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe 184 900 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe 2368 900 WerFault.exe 85fb42a57db662ade20dbc90dd2abccb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 3844 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 3844 WerFault.exe Token: SeBackupPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 2864 WerFault.exe Token: SeDebugPrivilege 2648 WerFault.exe Token: SeDebugPrivilege 184 WerFault.exe Token: SeDebugPrivilege 2368 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85fb42a57db662ade20dbc90dd2abccb.exe"C:\Users\Admin\AppData\Local\Temp\85fb42a57db662ade20dbc90dd2abccb.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 8442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 8722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 8522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken