Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 11:14
Static task
static1
Behavioral task
behavioral1
Sample
coco.exe
Resource
win7-20220812-en
General
-
Target
coco.exe
-
Size
3.8MB
-
MD5
3714bf1b2ccb2d589bbf9fc56b95f34f
-
SHA1
094ca2a456841a37d53724f9cd242af7f2a87945
-
SHA256
4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b
-
SHA512
44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc
-
SSDEEP
98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
svcupdater.execoco.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svcupdater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ coco.exe -
Executes dropped EXE 1 IoCs
Processes:
svcupdater.exepid process 1168 svcupdater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
coco.exesvcupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion coco.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion coco.exe -
Processes:
coco.exesvcupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA coco.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
coco.exetaskeng.exedescription pid process target process PID 580 wrote to memory of 804 580 coco.exe schtasks.exe PID 580 wrote to memory of 804 580 coco.exe schtasks.exe PID 580 wrote to memory of 804 580 coco.exe schtasks.exe PID 580 wrote to memory of 804 580 coco.exe schtasks.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe PID 1500 wrote to memory of 1168 1500 taskeng.exe svcupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\coco.exe"C:\Users\Admin\AppData\Local\Temp\coco.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {09DDB1F4-0980-403A-834A-67C76804AC3A} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
757.8MB
MD58eba5d710e657b56a1eae1a65629dc0d
SHA1fd6c724c4fabe2036e6866ba3c577e2582e788e8
SHA2562254dd8eb9e41e7b07289bf4d5ac6135a1a182b2419f723ea47b4f3e2b1b13ae
SHA512a791721a7c4ca375f6d902187cbb6a63e3bf0d2c3031da24fdbd59dd28be5357ccb32297142115d3dc1ad16de4a4853564ad3adad12eb322d9f68dea86dd325b
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
757.8MB
MD58eba5d710e657b56a1eae1a65629dc0d
SHA1fd6c724c4fabe2036e6866ba3c577e2582e788e8
SHA2562254dd8eb9e41e7b07289bf4d5ac6135a1a182b2419f723ea47b4f3e2b1b13ae
SHA512a791721a7c4ca375f6d902187cbb6a63e3bf0d2c3031da24fdbd59dd28be5357ccb32297142115d3dc1ad16de4a4853564ad3adad12eb322d9f68dea86dd325b
-
memory/580-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/580-55-0x0000000000F40000-0x000000000130F000-memory.dmpFilesize
3.8MB
-
memory/580-56-0x0000000000F40000-0x000000000130F000-memory.dmpFilesize
3.8MB
-
memory/580-58-0x0000000000F40000-0x000000000130F000-memory.dmpFilesize
3.8MB
-
memory/804-57-0x0000000000000000-mapping.dmp
-
memory/1168-60-0x0000000000000000-mapping.dmp
-
memory/1168-63-0x0000000000D70000-0x000000000113F000-memory.dmpFilesize
3.8MB
-
memory/1168-64-0x0000000000D70000-0x000000000113F000-memory.dmpFilesize
3.8MB
-
memory/1168-65-0x0000000000D70000-0x000000000113F000-memory.dmpFilesize
3.8MB