Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-11-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe
Resource
win10-en-20211104
General
-
Target
cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe
-
Size
534KB
-
MD5
e2cbdf74ff9c8f936a4fb8c6b2a956fa
-
SHA1
7198d953db35dd67aaf70782a42029c1586fb5a8
-
SHA256
cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d
-
SHA512
ebf4a320a38757e3a659575b489113f15c854a53d25ac10c235b58cd1e2c7cbdf96f51a0761aaccc1d209fbde1f1b641c643e032c5f05ffcb4f15917441f1b9d
Malware Config
Extracted
raccoon
1.8.3-hotfix
fcdc156d3872c18d25e3ee45499599b45e492a67
-
url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 596 created 3648 596 WerFault.exe cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 596 3648 WerFault.exe cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe 596 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 596 WerFault.exe Token: SeBackupPrivilege 596 WerFault.exe Token: SeDebugPrivilege 596 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe"C:\Users\Admin\AppData\Local\Temp\cfc3768cbc19e72ee4d54a18f6700e7f3fda452a901d3c1dae68ae4880edaf7d.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 9442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken