Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-03-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
FiIe__Password_1234.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
FiIe__Password_1234.exe
Resource
win10v2004-en-20220113
General
-
Target
FiIe__Password_1234.exe
-
Size
4.5MB
-
MD5
106c93855dfd7c139ba6e75b429e85f4
-
SHA1
7fa79747197f6c11fea67df0ca4edd3d2350888c
-
SHA256
feee37a235fbf4cf5d898b2c0d136b9024adfe43e3f8e631bb48421357170d95
-
SHA512
419f91ba424650580a591c0a7b3da358b226fa9a7a2b852f33e943f8057f5820d065d1ccf258551d3ff3ca6f7d1867250bc121833c4b77433de8aa6ce3d475c5
Malware Config
Extracted
raccoon
231a2bef03530ea1eb31f9ad27af7d488aca1ee8
-
url4cnc
http://85.159.212.113/sibiusio
http://185.163.204.81/sibiusio
http://194.180.191.33/sibiusio
http://174.138.11.98/sibiusio
http://194.180.191.44/sibiusio
http://91.219.236.120/sibiusio
https://t.me/sibiusio
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FiIe__Password_1234.exedescription pid process target process PID 1264 set thread context of 268 1264 FiIe__Password_1234.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FiIe__Password_1234.exedescription pid process target process PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe PID 1264 wrote to memory of 268 1264 FiIe__Password_1234.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FiIe__Password_1234.exe"C:\Users\Admin\AppData\Local\Temp\FiIe__Password_1234.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-59-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/268-61-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/268-67-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/268-68-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/268-69-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/1264-55-0x0000000000B60000-0x00000000015D0000-memory.dmpFilesize
10.4MB