Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Software updated by Dylox.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_828811790.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_828811790.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
open this if the doesn't work.exe
-
Size
225KB
-
MD5
75dc0b7ee8ecf84a04ae6dd0ace2f54d
-
SHA1
4185141db5402579321714059282892a932661cf
-
SHA256
06f18fc3c26ff3b6b028d3745e020bc973b3892c0a77096b5d1371dc82989298
-
SHA512
57de91590f724f26eec8d24deaaa1f6cb5eb23ee0fe727152de89abbff9503bffd2ea91d60be280c482df942e51b196de8c73a71e6194c2019d0563eb5cd0d05
Malware Config
Extracted
raccoon
580b491e2149e767dbb79725a6a0395d016c0b15
-
url4cnc
http://telegin.top/jabbahatt121
http://ttmirror.top/jabbahatt121
http://teletele.top/jabbahatt121
http://telegalive.top/jabbahatt121
http://toptelete.top/jabbahatt121
http://telegraf.top/jabbahatt121
https://t.me/jabbahatt121
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1316 created 2832 1316 WerFault.exe open this if the doesn't work.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 316 AdvancedRun.exe 2552 AdvancedRun.exe -
Processes:
open this if the doesn't work.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths open this if the doesn't work.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe = "0" open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions open this if the doesn't work.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet open this if the doesn't work.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
open this if the doesn't work.exedescription pid process target process PID 2108 set thread context of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1316 2832 WerFault.exe open this if the doesn't work.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exeopen this if the doesn't work.exeWerFault.exepid process 316 AdvancedRun.exe 316 AdvancedRun.exe 316 AdvancedRun.exe 316 AdvancedRun.exe 2552 AdvancedRun.exe 2552 AdvancedRun.exe 2552 AdvancedRun.exe 2552 AdvancedRun.exe 2628 powershell.exe 2628 powershell.exe 2628 powershell.exe 2108 open this if the doesn't work.exe 2108 open this if the doesn't work.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exeAdvancedRun.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2108 open this if the doesn't work.exe Token: SeDebugPrivilege 316 AdvancedRun.exe Token: SeImpersonatePrivilege 316 AdvancedRun.exe Token: SeDebugPrivilege 2552 AdvancedRun.exe Token: SeImpersonatePrivilege 2552 AdvancedRun.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeRestorePrivilege 1316 WerFault.exe Token: SeBackupPrivilege 1316 WerFault.exe Token: SeBackupPrivilege 1316 WerFault.exe Token: SeDebugPrivilege 1316 WerFault.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
open this if the doesn't work.exeAdvancedRun.exedescription pid process target process PID 2108 wrote to memory of 316 2108 open this if the doesn't work.exe AdvancedRun.exe PID 2108 wrote to memory of 316 2108 open this if the doesn't work.exe AdvancedRun.exe PID 2108 wrote to memory of 316 2108 open this if the doesn't work.exe AdvancedRun.exe PID 316 wrote to memory of 2552 316 AdvancedRun.exe AdvancedRun.exe PID 316 wrote to memory of 2552 316 AdvancedRun.exe AdvancedRun.exe PID 316 wrote to memory of 2552 316 AdvancedRun.exe AdvancedRun.exe PID 2108 wrote to memory of 2628 2108 open this if the doesn't work.exe powershell.exe PID 2108 wrote to memory of 2628 2108 open this if the doesn't work.exe powershell.exe PID 2108 wrote to memory of 2628 2108 open this if the doesn't work.exe powershell.exe PID 2108 wrote to memory of 3192 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 3192 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 3192 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe PID 2108 wrote to memory of 2832 2108 open this if the doesn't work.exe open this if the doesn't work.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exe" /SpecialRun 4101d8 3163⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"C:\Users\Admin\AppData\Local\Temp\open this if the doesn't work.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 9643⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\50a4a42b-99ff-4e2b-932e-1c42f781f16e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/316-127-0x0000000000000000-mapping.dmp
-
memory/2108-117-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2108-115-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2108-125-0x0000000007B60000-0x0000000007C46000-memory.dmpFilesize
920KB
-
memory/2108-121-0x0000000004D40000-0x0000000004D43000-memory.dmpFilesize
12KB
-
memory/2108-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/2108-126-0x000000000D960000-0x000000000D961000-memory.dmpFilesize
4KB
-
memory/2552-130-0x0000000000000000-mapping.dmp
-
memory/2628-161-0x0000000006AD4000-0x0000000006AD6000-memory.dmpFilesize
8KB
-
memory/2628-141-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/2628-149-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2628-159-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2628-136-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/2628-132-0x0000000000000000-mapping.dmp
-
memory/2628-135-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/2628-139-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/2628-140-0x0000000006AD2000-0x0000000006AD3000-memory.dmpFilesize
4KB
-
memory/2628-134-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2628-142-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/2628-143-0x0000000007030000-0x0000000007031000-memory.dmpFilesize
4KB
-
memory/2628-144-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/2628-160-0x0000000006AD3000-0x0000000006AD4000-memory.dmpFilesize
4KB
-
memory/2628-146-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/2628-147-0x00000000082A0000-0x00000000082A1000-memory.dmpFilesize
4KB
-
memory/2628-148-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/2628-133-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/2832-137-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2832-145-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2832-138-0x000000000043E9BE-mapping.dmp