Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-11-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe
Resource
win10-en-20211014
General
-
Target
48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe
-
Size
431KB
-
MD5
87a5cdf223fe370ee426a231548c7ebc
-
SHA1
03f5cb68f3d6787f71f9b73a9e31272130161dda
-
SHA256
48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4
-
SHA512
12c9c4dc0b3da35cb026b27c93d18c1c0376d103a1be71bd47292dd0c80c492a0237e7cddf379ea2dd7e1cc47a3f0b88b2acd4db15377cf6d80ed6dd4d7402b5
Malware Config
Extracted
raccoon
68e2d75238f7c69859792d206401b6bde2b2515c
-
url4cnc
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 976 created 2756 976 WerFault.exe 48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 976 2756 WerFault.exe 48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 976 WerFault.exe Token: SeBackupPrivilege 976 WerFault.exe Token: SeDebugPrivilege 976 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe"C:\Users\Admin\AppData\Local\Temp\48ceb3fa642b0031027ef4a94bff577f3635c05515f11e45c7cd3a1024620ed4.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 12202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken