Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-11-2021 01:31
Static task
static1
Behavioral task
behavioral1
Sample
7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe
Resource
win10-en-20211104
General
-
Target
7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe
-
Size
482KB
-
MD5
e515ff41163d39cf4b929d27808b12c9
-
SHA1
4942b689920659fc9d78a96ed56c9df6838bc1bc
-
SHA256
7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588
-
SHA512
30c8d570d0dd2d6164060865afb6a10a493d7de2371b84125b8a9f8b0d91b35e1df52975d0c99b69e794e59efdbdf1971702f9e6941edcfdaccb5b9dcb864131
Malware Config
Extracted
raccoon
1.8.3
243f5e3056753d9f9706258dce4f79e57c3a9c44
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2336 created 2856 2336 WerFault.exe 7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2336 2856 WerFault.exe 7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2336 WerFault.exe Token: SeBackupPrivilege 2336 WerFault.exe Token: SeDebugPrivilege 2336 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe"C:\Users\Admin\AppData\Local\Temp\7a2a26f5c0beab62a06d8dac9f6a3aa2e3e4cf554ca87c7851bf5adeb86ad588.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken