Analysis
-
max time kernel
91s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
FOCVIVH.exe
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
FOCVIVH.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
FOCVIVH.exe
-
Size
3.5MB
-
MD5
85c27c29bcd669111e83ece79e7e0a62
-
SHA1
24cb399e0de0896709242e3e2cc2b0435d5c206e
-
SHA256
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
-
SHA512
9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99
-
SSDEEP
24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
9b19cf60d9bdf65b8a2495aa965456c3
C2
http://5.2.70.65/
rc4.plain
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FOCVIVH.exedescription pid process target process PID 4648 set thread context of 1120 4648 FOCVIVH.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2524 1120 WerFault.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FOCVIVH.exedescription pid process Token: SeDebugPrivilege 4648 FOCVIVH.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FOCVIVH.exedescription pid process target process PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe PID 4648 wrote to memory of 1120 4648 FOCVIVH.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe"C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 3403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1120 -ip 11201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1120-136-0x0000000000408597-mapping.dmp
-
memory/1120-137-0x0000000000580000-0x0000000000594000-memory.dmpFilesize
80KB
-
memory/1120-142-0x0000000000580000-0x0000000000594000-memory.dmpFilesize
80KB
-
memory/1120-146-0x0000000000580000-0x0000000000594000-memory.dmpFilesize
80KB
-
memory/4648-132-0x0000000000D50000-0x00000000010D6000-memory.dmpFilesize
3.5MB
-
memory/4648-133-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/4648-134-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB
-
memory/4648-139-0x00007FFA02680000-0x00007FFA03141000-memory.dmpFilesize
10.8MB