Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
09-11-2021 23:25
Static task
static1
Behavioral task
behavioral1
Sample
c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe
Resource
win10-en-20211104
General
-
Target
c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe
-
Size
538KB
-
MD5
8b266c410eee6b2125164cca8eabb957
-
SHA1
9bc15216bf991b1419bf22b0acd0ee90b5db95ea
-
SHA256
c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd
-
SHA512
cbf9895368cbbd2affead18471c6e6d511e110fa56d3ef3dd9bc63b8cfe02d2bba7fa311c55afdfa7af09c0bba4e62d77212f7ea67cd373a54bf9cb4392b643e
Malware Config
Extracted
raccoon
1.8.3-hotfix
fcdc156d3872c18d25e3ee45499599b45e492a67
-
url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4012 created 3972 4012 WerFault.exe c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4012 3972 WerFault.exe c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4012 WerFault.exe Token: SeBackupPrivilege 4012 WerFault.exe Token: SeDebugPrivilege 4012 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe"C:\Users\Admin\AppData\Local\Temp\c9348cca612ce15d47db81d80ab64943af007c174c1b504e10bc59f83db188dd.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 9882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken