Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 15:36
Static task
static1
Behavioral task
behavioral1
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
open this if the doesn't work.exe
-
Size
225KB
-
MD5
75dc0b7ee8ecf84a04ae6dd0ace2f54d
-
SHA1
4185141db5402579321714059282892a932661cf
-
SHA256
06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298
-
SHA512
57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05
Malware Config
Extracted
raccoon
580b491e2149e767dbb79725a6a0395d016c0b15
-
url4cnc
http://telegin.top/jabbahatt121
http://ttmirror.top/jabbahatt121
http://teletele.top/jabbahatt121
http://telegalive.top/jabbahatt121
http://toptelete.top/jabbahatt121
http://telegraf.top/jabbahatt121
https://t.me/jabbahatt121
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2116 created 1028 2116 WerFault.exe open this if the doesn't work.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1444 AdvancedRun.exe 4084 AdvancedRun.exe -
Processes:
open this if the doesn't work.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe = "0" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" open this if the doesn't work.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
open this if the doesn't work.exedescription pid process target process PID 2184 set thread context of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2116 1028 WerFault.exe open this if the doesn't work.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exeopen this if the doesn't work.exeWerFault.exepid process 1444 AdvancedRun.exe 1444 AdvancedRun.exe 1444 AdvancedRun.exe 1444 AdvancedRun.exe 4084 AdvancedRun.exe 4084 AdvancedRun.exe 4084 AdvancedRun.exe 4084 AdvancedRun.exe 3492 powershell.exe 3492 powershell.exe 3492 powershell.exe 2184 open this if the doesn't work.exe 2184 open this if the doesn't work.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exeAdvancedRun.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2184 open this if the doesn't work.exe Token: SeDebugPrivilege 1444 AdvancedRun.exe Token: SeImpersonatePrivilege 1444 AdvancedRun.exe Token: SeDebugPrivilege 4084 AdvancedRun.exe Token: SeImpersonatePrivilege 4084 AdvancedRun.exe Token: SeDebugPrivilege 3492 powershell.exe Token: SeRestorePrivilege 2116 WerFault.exe Token: SeBackupPrivilege 2116 WerFault.exe Token: SeBackupPrivilege 2116 WerFault.exe Token: SeDebugPrivilege 2116 WerFault.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exedescription pid process target process PID 2184 wrote to memory of 1444 2184 open this if the doesn't work.exe AdvancedRun.exe PID 2184 wrote to memory of 1444 2184 open this if the doesn't work.exe AdvancedRun.exe PID 2184 wrote to memory of 1444 2184 open this if the doesn't work.exe AdvancedRun.exe PID 1444 wrote to memory of 4084 1444 AdvancedRun.exe AdvancedRun.exe PID 1444 wrote to memory of 4084 1444 AdvancedRun.exe AdvancedRun.exe PID 1444 wrote to memory of 4084 1444 AdvancedRun.exe AdvancedRun.exe PID 2184 wrote to memory of 3492 2184 open this if the doesn't work.exe powershell.exe PID 2184 wrote to memory of 3492 2184 open this if the doesn't work.exe powershell.exe PID 2184 wrote to memory of 3492 2184 open this if the doesn't work.exe powershell.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe PID 2184 wrote to memory of 1028 2184 open this if the doesn't work.exe open this if the doesn't work.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exe" /SpecialRun 4101d8 14443⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 10163⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\b56336be-f569-4bd7-a5ce-9126be0c9f0e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/1028-137-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1028-138-0x000000000043E9BE-mapping.dmp
-
memory/1028-141-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1444-127-0x0000000000000000-mapping.dmp
-
memory/2184-115-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/2184-120-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/2184-121-0x00000000057A0000-0x00000000057A3000-memory.dmpFilesize
12KB
-
memory/2184-117-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2184-125-0x0000000008190000-0x0000000008276000-memory.dmpFilesize
920KB
-
memory/2184-126-0x000000000DFA0000-0x000000000DFA1000-memory.dmpFilesize
4KB
-
memory/3492-132-0x0000000000000000-mapping.dmp
-
memory/3492-147-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/3492-136-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/3492-134-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3492-133-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3492-160-0x0000000007493000-0x0000000007494000-memory.dmpFilesize
4KB
-
memory/3492-135-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/3492-140-0x0000000007492000-0x0000000007493000-memory.dmpFilesize
4KB
-
memory/3492-142-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3492-143-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3492-144-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/3492-145-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/3492-146-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/3492-139-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/3492-148-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/3492-149-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3492-159-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3492-161-0x0000000007494000-0x0000000007496000-memory.dmpFilesize
8KB
-
memory/4084-130-0x0000000000000000-mapping.dmp