Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 14:56
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
3.5MB
-
MD5
85c27c29bcd669111e83ece79e7e0a62
-
SHA1
24cb399e0de0896709242e3e2cc2b0435d5c206e
-
SHA256
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
-
SHA512
9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99
-
SSDEEP
24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
9b19cf60d9bdf65b8a2495aa965456c3
C2
http://5.2.70.65/
rc4.plain
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 456 set thread context of 4736 456 file.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3832 4736 WerFault.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 456 file.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe PID 456 wrote to memory of 4736 456 file.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 3403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 47361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/456-132-0x0000000000C00000-0x0000000000F86000-memory.dmpFilesize
3.5MB
-
memory/456-133-0x00007FFC18140000-0x00007FFC18C01000-memory.dmpFilesize
10.8MB
-
memory/456-134-0x00007FFC18140000-0x00007FFC18C01000-memory.dmpFilesize
10.8MB
-
memory/456-139-0x00007FFC18140000-0x00007FFC18C01000-memory.dmpFilesize
10.8MB
-
memory/4736-136-0x0000000000408597-mapping.dmp
-
memory/4736-137-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/4736-142-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/4736-146-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB