Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 23:37
Static task
static1
Behavioral task
behavioral1
Sample
3b62e9c30b398554f476147d4386f2c6.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
3b62e9c30b398554f476147d4386f2c6.exe
Resource
win10-en-20210920
General
-
Target
3b62e9c30b398554f476147d4386f2c6.exe
-
Size
591KB
-
MD5
3b62e9c30b398554f476147d4386f2c6
-
SHA1
7d45a88064af2c0f161bc682eba5244168ee1554
-
SHA256
f7066f5159f83c1266329e7e8bf27abe5fa6f481da98e3b31c3f8e3cc1af7f06
-
SHA512
a689b6669291240ec859eac2eb9f71796b00a24eef93e823d51211fd375c77fe3eae147e97671281d73152dfdf0d3ae0a79b399ed8a691436ee8229c3b463c14
Malware Config
Extracted
raccoon
b176c5fe76fc027de7ad67f52792266419904252
-
url4cnc
http://telegalive.top/hoverpattern31
http://toptelete.top/hoverpattern31
http://telegraf.top/hoverpattern31
https://t.me/hoverpattern31
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4428 created 3056 4428 WerFault.exe 3b62e9c30b398554f476147d4386f2c6.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4428 3056 WerFault.exe 3b62e9c30b398554f476147d4386f2c6.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe 4428 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4428 WerFault.exe Token: SeBackupPrivilege 4428 WerFault.exe Token: SeDebugPrivilege 4428 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b62e9c30b398554f476147d4386f2c6.exe"C:\Users\Admin\AppData\Local\Temp\3b62e9c30b398554f476147d4386f2c6.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 9642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken