Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 20:40
Static task
static1
Behavioral task
behavioral1
Sample
b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe
-
Size
590KB
-
MD5
d8222f503375319508efc849bc3ff224
-
SHA1
05b1a7095539bce27d0ca24697c8b2ff01d82beb
-
SHA256
b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b
-
SHA512
6b3a3bb845a26057d9e553a902dedacb4d4a143dda9581b15f5ddf2fd793ac0d34dd0a6cdd4b7744170ebb0e59ac0bfaa0d44427ad2297a4c6cc7ae58e7f0539
Malware Config
Extracted
Family
raccoon
Botnet
887a0ffaca448362277f2227182491216b734133
Attributes
-
url4cnc
http://telegka.top/jdiamond13
http://telegin.top/jdiamond13
https://t.me/jdiamond13
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1528 created 1420 1528 WerFault.exe b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 1420 WerFault.exe b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1528 WerFault.exe Token: SeBackupPrivilege 1528 WerFault.exe Token: SeDebugPrivilege 1528 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe"C:\Users\Admin\AppData\Local\Temp\b272145bef71f2dc0823c0a3e05c250efc1d0195925c3ac75528f9c8a339b15b.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 6522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken