Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
14-11-2021 09:15
General
-
Target
77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674.exe
-
Size
500KB
-
MD5
d513e817da5fbce634ed9609ca78e589
-
SHA1
95c8614b7c7a709a278a45ae3b7579c9c167ea54
-
SHA256
77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674
-
SHA512
49055ea2137dd1ef65ce8a8932a109c6f06a0ea6bd3fecf3e1c52aabc5dc6cc998b45fef4f030bc3f76e1d25f201f005dbb968e1ea29be7719fd6fb6f413d63a
Score
10/10
Malware Config
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
675718a5f2ce6d3cacf6cb04a512f5637eae995f
Attributes
-
url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept
rc4.plain
rc4.plain
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674.exe"C:\Users\Admin\AppData\Local\Temp\77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4024-118-0x00000000021E0000-0x000000000222F000-memory.dmpFilesize
316KB
-
memory/4024-119-0x0000000002270000-0x00000000022FF000-memory.dmpFilesize
572KB
-
memory/4024-120-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB