Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
29-10-2021 05:24
Static task
static1
Behavioral task
behavioral1
Sample
5fe07134abda38e8870c74150caa6b68.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
5fe07134abda38e8870c74150caa6b68.exe
Resource
win10-en-20211014
General
-
Target
5fe07134abda38e8870c74150caa6b68.exe
-
Size
465KB
-
MD5
5fe07134abda38e8870c74150caa6b68
-
SHA1
2e50a2dd334ce25c29c09f89e71c42b3242de3ac
-
SHA256
4ac1fd5714d68c3a015611027bd42bd354207d7f9c8417a63a4da31295580ffd
-
SHA512
f4088ff3414956574b82f7f8b6f5648eeb924a9c5c9dab687c6187a765aa24652219185c8da7d0214fef566b19ca357fb55a9a878becd4c76f8b97e12006c088
Malware Config
Extracted
raccoon
60e59be328fbd2ebac1839ea99411dccb00a6f49
-
url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1792 1616 WerFault.exe 5fe07134abda38e8870c74150caa6b68.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1792 WerFault.exe 1792 WerFault.exe 1792 WerFault.exe 1792 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1792 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5fe07134abda38e8870c74150caa6b68.exedescription pid process target process PID 1616 wrote to memory of 1792 1616 5fe07134abda38e8870c74150caa6b68.exe WerFault.exe PID 1616 wrote to memory of 1792 1616 5fe07134abda38e8870c74150caa6b68.exe WerFault.exe PID 1616 wrote to memory of 1792 1616 5fe07134abda38e8870c74150caa6b68.exe WerFault.exe PID 1616 wrote to memory of 1792 1616 5fe07134abda38e8870c74150caa6b68.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe07134abda38e8870c74150caa6b68.exe"C:\Users\Admin\AppData\Local\Temp\5fe07134abda38e8870c74150caa6b68.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 5282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-55-0x0000000075C21000-0x0000000075C23000-memory.dmpFilesize
8KB
-
memory/1616-56-0x00000000003A0000-0x00000000003EE000-memory.dmpFilesize
312KB
-
memory/1616-57-0x00000000046C0000-0x000000000474E000-memory.dmpFilesize
568KB
-
memory/1616-58-0x0000000000400000-0x0000000002F3A000-memory.dmpFilesize
43.2MB
-
memory/1792-59-0x0000000000000000-mapping.dmp
-
memory/1792-60-0x0000000000800000-0x0000000000860000-memory.dmpFilesize
384KB