Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 04:38
Static task
static1
Behavioral task
behavioral1
Sample
b2ea787779b3a69119917db1862fdd50.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b2ea787779b3a69119917db1862fdd50.exe
Resource
win10v2004-20220812-en
General
-
Target
b2ea787779b3a69119917db1862fdd50.exe
-
Size
2.1MB
-
MD5
b2ea787779b3a69119917db1862fdd50
-
SHA1
13cfa137064233181d1715cb631185aef1414520
-
SHA256
c7ebf50e12215ee97c015ce0f96f656d1274f07c36b672219f9d18bde8072362
-
SHA512
8f06fed0dc346a4becc7904dc484390c887d3a343d0919dbad616ae42413ba23744015218c1d1bc3050117d1137d6f8e3f527dbaaf2008f15bfcd844b3da4e55
-
SSDEEP
24576:VJYp7t2/0TXJCg8/IN1b4F7cBzwq3EXR3xympR3JA6yaRGTWA4qAfCpm6neAnb0c:VJYeicg8/INu6lvA/aT1
Malware Config
Extracted
raccoon
fa82e734b53e841c19108ad18b73cc3a
http://95.179.182.231/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b2ea787779b3a69119917db1862fdd50.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2ea787779b3a69119917db1862fdd50.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b2ea787779b3a69119917db1862fdd50.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2ea787779b3a69119917db1862fdd50.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2ea787779b3a69119917db1862fdd50.exe -
Processes:
b2ea787779b3a69119917db1862fdd50.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b2ea787779b3a69119917db1862fdd50.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2ea787779b3a69119917db1862fdd50.exedescription pid process target process PID 1104 set thread context of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b2ea787779b3a69119917db1862fdd50.exedescription pid process target process PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe PID 1104 wrote to memory of 2000 1104 b2ea787779b3a69119917db1862fdd50.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2ea787779b3a69119917db1862fdd50.exe"C:\Users\Admin\AppData\Local\Temp\b2ea787779b3a69119917db1862fdd50.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-54-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1104-55-0x00000000013E1000-0x00000000013E5000-memory.dmpFilesize
16KB
-
memory/1104-65-0x00000000013E0000-0x0000000001603000-memory.dmpFilesize
2.1MB
-
memory/2000-56-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2000-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2000-64-0x00000000004088ED-mapping.dmp