Analysis
-
max time kernel
236s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 14:07
Static task
static1
Behavioral task
behavioral1
Sample
ProtonVPN 5.10.00.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
ProtonVPN 5.10.00.exe
-
Size
399.7MB
-
MD5
3ace2504f0eddb23f2d9f783c65727c8
-
SHA1
2c6da9a828c5c32132cfbd6991a5f414a6e17dcd
-
SHA256
5665013064b9e8061254b8d831c89997885bc03627d10326418db5b961d49e7c
-
SHA512
2e967f22dfbca2f2d311e1686d63f84f92395ffc76293e4cba1952b11e8005ee4fb597cee67478896a16dc2b20da99a09c82d7bbd8b7382857a68382f3932c47
Malware Config
Extracted
Family
raccoon
Botnet
21f08585870c425fe2ebf8217377616a
C2
http://142.132.229.12/
http://164.92.172.4/
rc4.plain
rc4.plain
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
ProtonVPN 5.10.00.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ProtonVPN 5.10.00.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ProtonVPN 5.10.00.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ProtonVPN 5.10.00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ProtonVPN 5.10.00.exe -
Processes:
resource yara_rule behavioral2/memory/4140-130-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-131-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-132-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-133-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-134-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-136-0x0000000000660000-0x0000000000E1A000-memory.dmp themida behavioral2/memory/4140-139-0x0000000000660000-0x0000000000E1A000-memory.dmp themida -
Processes:
ProtonVPN 5.10.00.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ProtonVPN 5.10.00.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ProtonVPN 5.10.00.exepid process 4140 ProtonVPN 5.10.00.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ProtonVPN 5.10.00.exepid process 4140 ProtonVPN 5.10.00.exe 4140 ProtonVPN 5.10.00.exe 4140 ProtonVPN 5.10.00.exe 4140 ProtonVPN 5.10.00.exe 4140 ProtonVPN 5.10.00.exe 4140 ProtonVPN 5.10.00.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProtonVPN 5.10.00.exe"C:\Users\Admin\AppData\Local\Temp\ProtonVPN 5.10.00.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4140-130-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-131-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-132-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-133-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-134-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-135-0x0000000077780000-0x0000000077923000-memory.dmpFilesize
1.6MB
-
memory/4140-136-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB
-
memory/4140-137-0x0000000077780000-0x0000000077923000-memory.dmpFilesize
1.6MB
-
memory/4140-138-0x0000000077780000-0x0000000077923000-memory.dmpFilesize
1.6MB
-
memory/4140-139-0x0000000000660000-0x0000000000E1A000-memory.dmpFilesize
7.7MB