Analysis
-
max time kernel
19s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-08-2021 21:16
Static task
static1
Behavioral task
behavioral1
Sample
2f0f374ba2a8adf6d5b1095607fa6cea.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2f0f374ba2a8adf6d5b1095607fa6cea.exe
Resource
win10v20210408
General
-
Target
2f0f374ba2a8adf6d5b1095607fa6cea.exe
-
Size
5.3MB
-
MD5
2f0f374ba2a8adf6d5b1095607fa6cea
-
SHA1
4efd278872e7ca4c93bb2ff6527fc9c21ecbf724
-
SHA256
514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3
-
SHA512
99a9e83438d6957e73ceb931e752c9cacf8e5ebd1bcdece8cc1f85b36f9b56e1b8aad5713467924066cfd8facf21da3230e326c420571ada9ccdf59a98256fc4
Malware Config
Extracted
raccoon
0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a
-
url4cnc
https://telete.in/secuhaski4
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
2f0f374ba2a8adf6d5b1095607fa6cea.exepid process 632 2f0f374ba2a8adf6d5b1095607fa6cea.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2f0f374ba2a8adf6d5b1095607fa6cea.exepid process 632 2f0f374ba2a8adf6d5b1095607fa6cea.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2776 632 WerFault.exe 2f0f374ba2a8adf6d5b1095607fa6cea.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2f0f374ba2a8adf6d5b1095607fa6cea.exeWerFault.exepid process 632 2f0f374ba2a8adf6d5b1095607fa6cea.exe 632 2f0f374ba2a8adf6d5b1095607fa6cea.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2776 WerFault.exe Token: SeBackupPrivilege 2776 WerFault.exe Token: SeDebugPrivilege 2776 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f0f374ba2a8adf6d5b1095607fa6cea.exe"C:\Users\Admin\AppData\Local\Temp\2f0f374ba2a8adf6d5b1095607fa6cea.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 14682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/632-115-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/632-116-0x0000000000400000-0x0000000000CAD000-memory.dmpFilesize
8.7MB
-
memory/632-117-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB