Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
14-11-2021 08:22
Static task
static1
Behavioral task
behavioral1
Sample
100f06c3c5a50552ecfde1fbf3e9b4bb.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
100f06c3c5a50552ecfde1fbf3e9b4bb.exe
Resource
win10-en-20211104
General
-
Target
100f06c3c5a50552ecfde1fbf3e9b4bb.exe
-
Size
500KB
-
MD5
100f06c3c5a50552ecfde1fbf3e9b4bb
-
SHA1
1749c9ac51e7d76c5138c7a8a4de13ce16e7423a
-
SHA256
879b3d8f4e4f90f19da28a6ff8b46fac43c972a2b4b268a708966650b9148b7f
-
SHA512
474dd5169b516f0dba5d15d6ab75ef2b1e45dec18b7958a020cbe4a98499f6d9e13879ffa37777cad11a0b4fa84dd960a4b452fe4b475a8967768e1b28bda32a
Malware Config
Extracted
raccoon
1.8.3-hotfix
675718a5f2ce6d3cacf6cb04a512f5637eae995f
-
url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 292 432 WerFault.exe 100f06c3c5a50552ecfde1fbf3e9b4bb.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 292 WerFault.exe 292 WerFault.exe 292 WerFault.exe 292 WerFault.exe 292 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 292 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 292 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
100f06c3c5a50552ecfde1fbf3e9b4bb.exedescription pid process target process PID 432 wrote to memory of 292 432 100f06c3c5a50552ecfde1fbf3e9b4bb.exe WerFault.exe PID 432 wrote to memory of 292 432 100f06c3c5a50552ecfde1fbf3e9b4bb.exe WerFault.exe PID 432 wrote to memory of 292 432 100f06c3c5a50552ecfde1fbf3e9b4bb.exe WerFault.exe PID 432 wrote to memory of 292 432 100f06c3c5a50552ecfde1fbf3e9b4bb.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\100f06c3c5a50552ecfde1fbf3e9b4bb.exe"C:\Users\Admin\AppData\Local\Temp\100f06c3c5a50552ecfde1fbf3e9b4bb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 4042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-58-0x0000000000000000-mapping.dmp
-
memory/292-60-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/432-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/432-56-0x0000000000220000-0x000000000026F000-memory.dmpFilesize
316KB
-
memory/432-57-0x00000000004A0000-0x000000000052F000-memory.dmpFilesize
572KB
-
memory/432-59-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB