Analysis Overview
SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30
Threat Level: Known bad
The file 84dd06d1e6237944e337d213947e1949 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Raccoon
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2021-11-13 18:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-13 18:49
Reported
2021-11-13 18:51
Platform
win7-en-20211104
Max time kernel
152s
Max time network
151s
Command Line
Signatures
Raccoon
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1612 set thread context of 460 | N/A | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"
C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| US | 8.8.8.8:53 | teletele.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
Files
memory/1612-55-0x0000000002D1B000-0x0000000002D92000-memory.dmp
memory/1612-56-0x0000000000220000-0x00000000002A3000-memory.dmp
memory/1612-57-0x0000000000400000-0x0000000002BB3000-memory.dmp
memory/460-58-0x0000000000400000-0x0000000000491000-memory.dmp
memory/460-59-0x0000000000402998-mapping.dmp
memory/1612-60-0x0000000000370000-0x00000000003D3000-memory.dmp
memory/1612-61-0x0000000002BC0000-0x0000000002C30000-memory.dmp
memory/460-62-0x0000000000400000-0x0000000000491000-memory.dmp
memory/460-63-0x0000000000400000-0x0000000000491000-memory.dmp
memory/460-64-0x0000000075491000-0x0000000075493000-memory.dmp
memory/460-66-0x0000000000310000-0x000000000039E000-memory.dmp
memory/460-65-0x00000000002C0000-0x000000000030E000-memory.dmp
memory/460-67-0x0000000000400000-0x0000000000491000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-13 18:49
Reported
2021-11-13 18:51
Platform
win10-en-20211014
Max time kernel
119s
Max time network
132s
Command Line
Signatures
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2396 created 4088 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1008 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"
C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe
"C:\Users\Admin\AppData\Local\Temp\84dd06d1e6237944e337d213947e1949.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | teletele.top | udp |
| US | 8.8.8.8:53 | teletele.top | udp |
| US | 8.8.8.8:53 | teletele.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| MD | 185.163.47.175:80 | 185.163.47.175 | tcp |
Files
memory/1008-116-0x0000000004970000-0x00000000049F3000-memory.dmp
memory/1008-117-0x0000000000400000-0x0000000002BB3000-memory.dmp
memory/4088-118-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4088-119-0x0000000000402998-mapping.dmp
memory/1008-120-0x0000000004A00000-0x0000000004A63000-memory.dmp
memory/1008-121-0x0000000004A70000-0x0000000004AE0000-memory.dmp
memory/4088-122-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4088-123-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4088-125-0x0000000000730000-0x00000000007BE000-memory.dmp
memory/4088-124-0x00000000004A0000-0x000000000054E000-memory.dmp
memory/4088-126-0x0000000000400000-0x0000000000491000-memory.dmp