Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-11-2021 10:24
Static task
static1
Behavioral task
behavioral1
Sample
fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe
Resource
win10-en-20211104
General
-
Target
fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe
-
Size
534KB
-
MD5
2c75fda3755d0a1329e8b82df81c0924
-
SHA1
8d5577907733a6deb546118814cd218e9609e470
-
SHA256
fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9
-
SHA512
8231704b4c60fbe2de820c623e34d0fc1b9299139154e2c614d1c29518c1b5fc765a8c439cf1863c0a5d4339c64a6f01d321270296a141292f544b3db289705f
Malware Config
Extracted
raccoon
1.8.3
243f5e3056753d9f9706258dce4f79e57c3a9c44
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1112 created 2932 1112 WerFault.exe fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1112 2932 WerFault.exe fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1112 WerFault.exe Token: SeBackupPrivilege 1112 WerFault.exe Token: SeDebugPrivilege 1112 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe"C:\Users\Admin\AppData\Local\Temp\fdcabde9dac29762671f619a1b5daffb129ce64a69a9bf8186e47efbcb4243b9.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 8082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken