Analysis
-
max time kernel
91s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 22:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
5 signatures
150 seconds
General
-
Target
file.exe
-
Size
3.6MB
-
MD5
16071179683d1f84d63728f7a4c03167
-
SHA1
179bb2c4aff7752e8082c84b585212a2ab82124f
-
SHA256
23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d
-
SHA512
1465fe553b9f105195a3de21e71c02df5e0dc23d33f8d8751afedee34becfc7351dc81b7054249c9b402673b59c528abccea9635da407b05bc05ecbd78e5958d
-
SSDEEP
49152:zQYDduXQyUijUpPL6yukdjTbi6Q3/akOAA49SOt3wueGyiopbsb1GZHunfTrLh:8q2PUiApskdrUPakmO1wue3sbAOnbrLh
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
9b19cf60d9bdf65b8a2495aa965456c3
C2
http://5.2.70.65/
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 3492 set thread context of 716 3492 file.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3760 716 WerFault.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 3492 file.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe PID 3492 wrote to memory of 716 3492 file.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 3483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 716 -ip 7161⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/716-136-0x0000000000408597-mapping.dmp
-
memory/716-137-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/716-142-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/716-146-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/3492-132-0x0000000000180000-0x0000000000518000-memory.dmpFilesize
3.6MB
-
memory/3492-133-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmpFilesize
10.8MB
-
memory/3492-134-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmpFilesize
10.8MB
-
memory/3492-140-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmpFilesize
10.8MB