Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
07-11-2021 08:39
Static task
static1
Behavioral task
behavioral1
Sample
65ecbb1c38b4ac891d8a90870e115398.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
65ecbb1c38b4ac891d8a90870e115398.exe
Resource
win10-en-20211104
General
-
Target
65ecbb1c38b4ac891d8a90870e115398.exe
-
Size
591KB
-
MD5
65ecbb1c38b4ac891d8a90870e115398
-
SHA1
78e3f1782d238b6375224a3ce7793b1cb08a95d4
-
SHA256
58c1b22873a1eab4f8a7cc5a26085a2968637eaa3f22e7cbe8032ad6f25bbd38
-
SHA512
a95b0ccaecdf007c4590efde4e56ec4e65b8d900e2070726393b912f4ef37b3761a641e7c85dfe8a9698f1bf9864afc8613d956e14414d5a0c78c00aa17a7dd9
Malware Config
Extracted
raccoon
1.8.3
a741159db87f9df2b687764994c63c4c859ea476
-
url4cnc
http://178.23.190.57/hiioBlacklight1
http://91.219.236.162/hiioBlacklight1
http://185.163.47.176/hiioBlacklight1
http://193.38.54.238/hiioBlacklight1
http://74.119.192.122/hiioBlacklight1
http://91.219.236.240/hiioBlacklight1
https://t.me/hiioBlacklight1
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 992 1880 WerFault.exe 65ecbb1c38b4ac891d8a90870e115398.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 992 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
65ecbb1c38b4ac891d8a90870e115398.exedescription pid process target process PID 1880 wrote to memory of 992 1880 65ecbb1c38b4ac891d8a90870e115398.exe WerFault.exe PID 1880 wrote to memory of 992 1880 65ecbb1c38b4ac891d8a90870e115398.exe WerFault.exe PID 1880 wrote to memory of 992 1880 65ecbb1c38b4ac891d8a90870e115398.exe WerFault.exe PID 1880 wrote to memory of 992 1880 65ecbb1c38b4ac891d8a90870e115398.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65ecbb1c38b4ac891d8a90870e115398.exe"C:\Users\Admin\AppData\Local\Temp\65ecbb1c38b4ac891d8a90870e115398.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 4202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:992
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-58-0x0000000000000000-mapping.dmp
-
memory/992-60-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1880-55-0x0000000000A7D000-0x0000000000ACC000-memory.dmpFilesize
316KB
-
memory/1880-56-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1880-57-0x0000000000220000-0x00000000002AF000-memory.dmpFilesize
572KB
-
memory/1880-59-0x0000000000400000-0x0000000000937000-memory.dmpFilesize
5.2MB