Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 22:41
Static task
static1
Behavioral task
behavioral1
Sample
3b62e9c30b398554f476147d4386f2c6.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
3b62e9c30b398554f476147d4386f2c6.exe
Resource
win10-en-20211014
General
-
Target
3b62e9c30b398554f476147d4386f2c6.exe
-
Size
591KB
-
MD5
3b62e9c30b398554f476147d4386f2c6
-
SHA1
7d45a88064af2c0f161bc682eba5244168ee1554
-
SHA256
f7066f5159f83c1266329e7e8bf27abe5fa6f481da98e3b31c3f8e3cc1af7f06
-
SHA512
a689b6669291240ec859eac2eb9f71796b00a24eef93e823d51211fd375c77fe3eae147e97671281d73152dfdf0d3ae0a79b399ed8a691436ee8229c3b463c14
Malware Config
Extracted
raccoon
b176c5fe76fc027de7ad67f52792266419904252
-
url4cnc
http://telegalive.top/hoverpattern31
http://toptelete.top/hoverpattern31
http://telegraf.top/hoverpattern31
https://t.me/hoverpattern31
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 1396 WerFault.exe 3b62e9c30b398554f476147d4386f2c6.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1668 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1668 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3b62e9c30b398554f476147d4386f2c6.exedescription pid process target process PID 1396 wrote to memory of 1668 1396 3b62e9c30b398554f476147d4386f2c6.exe WerFault.exe PID 1396 wrote to memory of 1668 1396 3b62e9c30b398554f476147d4386f2c6.exe WerFault.exe PID 1396 wrote to memory of 1668 1396 3b62e9c30b398554f476147d4386f2c6.exe WerFault.exe PID 1396 wrote to memory of 1668 1396 3b62e9c30b398554f476147d4386f2c6.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b62e9c30b398554f476147d4386f2c6.exe"C:\Users\Admin\AppData\Local\Temp\3b62e9c30b398554f476147d4386f2c6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 4962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-54-0x0000000002CDD000-0x0000000002D2C000-memory.dmpFilesize
316KB
-
memory/1396-55-0x0000000074F81000-0x0000000074F83000-memory.dmpFilesize
8KB
-
memory/1396-56-0x0000000000300000-0x000000000038E000-memory.dmpFilesize
568KB
-
memory/1396-57-0x0000000000400000-0x0000000002BEE000-memory.dmpFilesize
39.9MB
-
memory/1668-58-0x0000000000000000-mapping.dmp
-
memory/1668-59-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB