Analysis
-
max time kernel
87s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 21:32
Static task
static1
Behavioral task
behavioral1
Sample
6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe
Resource
win10-en-20211104
0 signatures
0 seconds
General
-
Target
6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe
-
Size
570KB
-
MD5
4c8b66d361835c2d9ea8c230e90662dd
-
SHA1
3fae7d1577820b1fc0559510bad83c9d6c63323a
-
SHA256
6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132
-
SHA512
211b0518d29da64837d2f996f2cbb6befd8c93944a8a00d8a08675d0aec4369e447ffb7ff1d04deca77cc0e2c2c3c4f18d5e002deca998353f144aa8695d0147
Malware Config
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
049dc5184bb65eb56e4e860bf61427e2a0fcba1e
Attributes
-
url4cnc
http://185.225.19.18/duglassa1
http://91.219.237.227/duglassa1
https://t.me/duglassa1
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1176 created 2452 1176 WerFault.exe 6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1176 2452 WerFault.exe 6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1176 WerFault.exe Token: SeBackupPrivilege 1176 WerFault.exe Token: SeDebugPrivilege 1176 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe"C:\Users\Admin\AppData\Local\Temp\6f930339242cf55f87b545fd29f8faf6b84f5828aac0322defd57f03aa7cf132.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 9002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken