Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
08-11-2021 13:12
Static task
static1
Behavioral task
behavioral1
Sample
8fbe2112d360c6a0f0b18be369b9951a.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
8fbe2112d360c6a0f0b18be369b9951a.exe
Resource
win10-en-20211104
General
-
Target
8fbe2112d360c6a0f0b18be369b9951a.exe
-
Size
534KB
-
MD5
8fbe2112d360c6a0f0b18be369b9951a
-
SHA1
fde28c60ea0938c49928d60d75f5adcd76f84903
-
SHA256
596e838294aa3618fd5a6e8d71ae615f549a9df857745c41515134f748f68ef3
-
SHA512
ec59f9b7b3d5242fb58b95dd31de7f180e006c6d37de24763b127f6e7840a78a77fbeab900a88c010c6227c25ec484ecd8381cbc989e1a96ed603f38a8e4d38f
Malware Config
Extracted
raccoon
1.8.3
243f5e3056753d9f9706258dce4f79e57c3a9c44
-
url4cnc
http://178.23.190.57/agrybirdsgamerept
http://91.219.236.162/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
http://193.38.54.238/agrybirdsgamerept
http://74.119.192.122/agrybirdsgamerept
http://91.219.236.240/agrybirdsgamerept
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 1880 WerFault.exe 8fbe2112d360c6a0f0b18be369b9951a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe 1760 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1760 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8fbe2112d360c6a0f0b18be369b9951a.exedescription pid process target process PID 1880 wrote to memory of 1760 1880 8fbe2112d360c6a0f0b18be369b9951a.exe WerFault.exe PID 1880 wrote to memory of 1760 1880 8fbe2112d360c6a0f0b18be369b9951a.exe WerFault.exe PID 1880 wrote to memory of 1760 1880 8fbe2112d360c6a0f0b18be369b9951a.exe WerFault.exe PID 1880 wrote to memory of 1760 1880 8fbe2112d360c6a0f0b18be369b9951a.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fbe2112d360c6a0f0b18be369b9951a.exe"C:\Users\Admin\AppData\Local\Temp\8fbe2112d360c6a0f0b18be369b9951a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 4402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1760-59-0x0000000000000000-mapping.dmp
-
memory/1760-60-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1880-55-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1880-56-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/1880-57-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1880-58-0x00000000004A0000-0x000000000052F000-memory.dmpFilesize
572KB