Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-01-2023 11:14
General
-
Target
coco.exe
-
Size
3.8MB
-
MD5
3714bf1b2ccb2d589bbf9fc56b95f34f
-
SHA1
094ca2a456841a37d53724f9cd242af7f2a87945
-
SHA256
4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b
-
SHA512
44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc
-
SSDEEP
98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\coco.exe"C:\Users\Admin\AppData\Local\Temp\coco.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
760.8MB
MD510b68a3529292bcea49c7149e12fa526
SHA13aef476ce74bac63071a02b40770a60128730792
SHA25650c64aea0a5e56c95fa1e4f9369ccdda0ecfab89b75819a3216400c501f68a5d
SHA5125ce617de22597ddb1103e74e30f69e5057d8cb724466885f4b48fd77ad03f83d15e6514f65f4502b699b5fc4bde63a9aa6d4315d8478f74b94b485d19af755be
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
760.8MB
MD510b68a3529292bcea49c7149e12fa526
SHA13aef476ce74bac63071a02b40770a60128730792
SHA25650c64aea0a5e56c95fa1e4f9369ccdda0ecfab89b75819a3216400c501f68a5d
SHA5125ce617de22597ddb1103e74e30f69e5057d8cb724466885f4b48fd77ad03f83d15e6514f65f4502b699b5fc4bde63a9aa6d4315d8478f74b94b485d19af755be
-
memory/1972-134-0x0000000000000000-mapping.dmp
-
memory/4292-132-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4292-133-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4292-135-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4892-139-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB
-
memory/4892-138-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB
-
memory/4892-140-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB