Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:14
Static task
static1
Behavioral task
behavioral1
Sample
coco.exe
Resource
win7-20220812-en
General
-
Target
coco.exe
-
Size
3.8MB
-
MD5
3714bf1b2ccb2d589bbf9fc56b95f34f
-
SHA1
094ca2a456841a37d53724f9cd242af7f2a87945
-
SHA256
4063e9392a870c336313c33c498fccff27bc86a20b925e3d9d418b20613eee4b
-
SHA512
44271307b886aadc028e5874444d4241ba9790bba8fa7cf8b93371f051261b2adab065012fa84ce8674a43df07bdba63761cb614dc0c986982718a2276f241bc
-
SSDEEP
98304:TY+I/xOyEEaO5PsR9urjsFFZ9iZ1+AhMr+rCIvdvA92RxHGf:TZI/AyEEf5zrIZ9i+9rBKxlhm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
coco.exesvcupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ coco.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svcupdater.exe -
Executes dropped EXE 1 IoCs
Processes:
svcupdater.exepid process 4892 svcupdater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
coco.exesvcupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion coco.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svcupdater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion coco.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
coco.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation coco.exe -
Processes:
coco.exesvcupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA coco.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
coco.exedescription pid process target process PID 4292 wrote to memory of 1972 4292 coco.exe schtasks.exe PID 4292 wrote to memory of 1972 4292 coco.exe schtasks.exe PID 4292 wrote to memory of 1972 4292 coco.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\coco.exe"C:\Users\Admin\AppData\Local\Temp\coco.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
760.8MB
MD510b68a3529292bcea49c7149e12fa526
SHA13aef476ce74bac63071a02b40770a60128730792
SHA25650c64aea0a5e56c95fa1e4f9369ccdda0ecfab89b75819a3216400c501f68a5d
SHA5125ce617de22597ddb1103e74e30f69e5057d8cb724466885f4b48fd77ad03f83d15e6514f65f4502b699b5fc4bde63a9aa6d4315d8478f74b94b485d19af755be
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeFilesize
760.8MB
MD510b68a3529292bcea49c7149e12fa526
SHA13aef476ce74bac63071a02b40770a60128730792
SHA25650c64aea0a5e56c95fa1e4f9369ccdda0ecfab89b75819a3216400c501f68a5d
SHA5125ce617de22597ddb1103e74e30f69e5057d8cb724466885f4b48fd77ad03f83d15e6514f65f4502b699b5fc4bde63a9aa6d4315d8478f74b94b485d19af755be
-
memory/1972-134-0x0000000000000000-mapping.dmp
-
memory/4292-132-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4292-133-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4292-135-0x0000000000B70000-0x0000000000F3F000-memory.dmpFilesize
3.8MB
-
memory/4892-139-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB
-
memory/4892-138-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB
-
memory/4892-140-0x0000000000CE0000-0x00000000010AF000-memory.dmpFilesize
3.8MB