Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-11-2021 08:39
Static task
static1
Behavioral task
behavioral1
Sample
f138a83d95414302c7d7c5238c192717.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f138a83d95414302c7d7c5238c192717.exe
Resource
win10-en-20211014
General
-
Target
f138a83d95414302c7d7c5238c192717.exe
-
Size
482KB
-
MD5
f138a83d95414302c7d7c5238c192717
-
SHA1
5aa29b8d053529e1fbb6ec43a56f4462f7e8458f
-
SHA256
b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b
-
SHA512
d0c19df42e9be12cf478a1074607bddb50f94c4dc64dc24de82dd7ce54dc42da295d0d4d6eccf834c1cc65aa4e582da3a7dba94a521a3ed6f8d4a956a569c59f
Malware Config
Extracted
raccoon
1.8.3
243f5e3056753d9f9706258dce4f79e57c3a9c44
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1376 1112 WerFault.exe f138a83d95414302c7d7c5238c192717.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1376 WerFault.exe 1376 WerFault.exe 1376 WerFault.exe 1376 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1376 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f138a83d95414302c7d7c5238c192717.exedescription pid process target process PID 1112 wrote to memory of 1376 1112 f138a83d95414302c7d7c5238c192717.exe WerFault.exe PID 1112 wrote to memory of 1376 1112 f138a83d95414302c7d7c5238c192717.exe WerFault.exe PID 1112 wrote to memory of 1376 1112 f138a83d95414302c7d7c5238c192717.exe WerFault.exe PID 1112 wrote to memory of 1376 1112 f138a83d95414302c7d7c5238c192717.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f138a83d95414302c7d7c5238c192717.exe"C:\Users\Admin\AppData\Local\Temp\f138a83d95414302c7d7c5238c192717.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 4402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1112-57-0x0000000000510000-0x000000000059F000-memory.dmpFilesize
572KB
-
memory/1112-56-0x00000000001B0000-0x00000000001FF000-memory.dmpFilesize
316KB
-
memory/1112-58-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1376-59-0x0000000000000000-mapping.dmp
-
memory/1376-60-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB