Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 21:51
Static task
static1
Behavioral task
behavioral1
Sample
1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe
-
Size
512KB
-
MD5
f367505aa21c0af4ce542306bc5f41fe
-
SHA1
15b2716c8abaf88d6b268271538a6cbb1148b933
-
SHA256
1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0
-
SHA512
32b40e45d02c240dc4a4c19699fe96d653e48dd2fedcc36690f869303aefacba417cc2756a293b8108ad086ff6ab6e5444a4d49794819a64c0245a75d12059d8
Malware Config
Extracted
Family
raccoon
Botnet
ac738e6383a48d6a74aeab7c52ebcd50f76032ee
Attributes
-
url4cnc
http://telegka.top/jdiamond13
http://telegin.top/jdiamond13
https://t.me/jdiamond13
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3032 created 4088 3032 WerFault.exe 1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3032 4088 WerFault.exe 1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3032 WerFault.exe Token: SeBackupPrivilege 3032 WerFault.exe Token: SeDebugPrivilege 3032 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe"C:\Users\Admin\AppData\Local\Temp\1de7604b0624601cdd60d79f15a882e912a3bfdd4c9ef220fa95e7bb350103b0.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 9602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken