Analysis
-
max time kernel
67s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 12:36
Static task
static1
Behavioral task
behavioral1
Sample
ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe
Resource
win10-en-20210920
General
-
Target
ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe
-
Size
3.8MB
-
MD5
668656cd25b7af46075db91e4eeaf9bf
-
SHA1
a8eb80d6470bf59051359d10822498df6ee8bd36
-
SHA256
ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b
-
SHA512
26e9b44b81b4d106e9972225717e6f4bfd42f6c77e51d9a8c8e4639a605a3d3e708081b4780d670c906e2ac19854c42504c7cf69728b0ba7655d9379e9da88c9
Malware Config
Extracted
raccoon
cf3e15a8aec8fe7eead8f124a5222c57fad37d42
-
url4cnc
http://telegatt.top/dodgeneontwinturbo
http://telegka.top/dodgeneontwinturbo
http://telegin.top/dodgeneontwinturbo
https://t.me/dodgeneontwinturbo
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3680 created 2160 3680 WerFault.exe ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3680 2160 WerFault.exe ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3680 WerFault.exe Token: SeBackupPrivilege 3680 WerFault.exe Token: SeDebugPrivilege 3680 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe"C:\Users\Admin\AppData\Local\Temp\ef0cd7ca55ad803019d2048eda92bfafb2e0fcdef7739d01015e3eb35dd4c07b.exe"1⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 9682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2160-115-0x0000000000010000-0x00000000005F6000-memory.dmpFilesize
5.9MB