Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-11-2021 09:58
General
-
Target
ee6a1e4c8a5381d2f848cc3cf000ce21431d9479740a07d32638c9c6a50e6fcc.exe
-
Size
533KB
-
MD5
a056fafc86c0a8cffd016ad6883695e1
-
SHA1
28af57210237b0475e00b4eabb0c9dcd07c1d47f
-
SHA256
ee6a1e4c8a5381d2f848cc3cf000ce21431d9479740a07d32638c9c6a50e6fcc
-
SHA512
428287ee89bbea841b26f2a85c051a0515c46677cfd54fbd1a6206a18bbb91da74bffb48c6bcbb77c347429125b9f07d5b20f92af52683240e084ba4ae7b36c1
Score
10/10
Malware Config
Extracted
Family
raccoon
Version
1.8.3
Botnet
243f5e3056753d9f9706258dce4f79e57c3a9c44
Attributes
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
rc4.plain
rc4.plain
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee6a1e4c8a5381d2f848cc3cf000ce21431d9479740a07d32638c9c6a50e6fcc.exe"C:\Users\Admin\AppData\Local\Temp\ee6a1e4c8a5381d2f848cc3cf000ce21431d9479740a07d32638c9c6a50e6fcc.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 9002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3984-119-0x0000000002230000-0x00000000022BF000-memory.dmpFilesize
572KB
-
memory/3984-118-0x00000000021E0000-0x000000000222F000-memory.dmpFilesize
316KB
-
memory/3984-120-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB