Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-11-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe
Resource
win10-en-20211104
General
-
Target
55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe
-
Size
534KB
-
MD5
34de2b2b0b76a53335dd58f0ced684ff
-
SHA1
4f90040afaec7585679e8b1cb474dee564e3635a
-
SHA256
55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243
-
SHA512
c4508868dd4612fe75209456b17f3109d117d7c193096a41dec7d23712b48e2d63cef0a3f99a11938711ea1a49dbec2995e415030d7731c896a5f2771eac30c4
Malware Config
Extracted
raccoon
1.8.3
243f5e3056753d9f9706258dce4f79e57c3a9c44
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1900 created 3064 1900 WerFault.exe 55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1900 3064 WerFault.exe 55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1900 WerFault.exe Token: SeBackupPrivilege 1900 WerFault.exe Token: SeDebugPrivilege 1900 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe"C:\Users\Admin\AppData\Local\Temp\55041cb629a271f21482a96b3f51462de3264783a01e3300f93966704e6e2243.exe"1⤵PID:3064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 8682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900