Analysis
-
max time kernel
53s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-05-2023 13:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ProtonVPN.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ProtonVPN.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
ProtonVPN.exe
-
Size
1.3MB
-
MD5
d8560a7c131d8313f0f95e49e1aa0b73
-
SHA1
29eb7b94ca1d6d6fe2c4f37de6e89602d5cdab92
-
SHA256
7e59452c10d407a0ec3a91d67ef93acdd56b8070f57904fc26656883f12d07d0
-
SHA512
f65baaaab186c8fea4755486a03faf9589c65d910cd063320c7cc136e8022c2ccab4d7aef94dd2b1c8fe2a71a8d03d4ad0a2770240ea1dd9a5bf521f9f073f3b
-
SSDEEP
6144:Kqlq7ttfNq5vdvlomq+kc5SAOHFLSq4hZ/b+W6tKM5E5pe:K0q7ttfo5vvSLmq4b+WLpe
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
5b7eff386f31487f5db4c7f0e4006546
C2
http://165.232.118.86/
xor.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ProtonVPN.exedescription pid process target process PID 1764 set thread context of 1092 1764 ProtonVPN.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 592 1764 WerFault.exe ProtonVPN.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ProtonVPN.exedescription pid process target process PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 1092 1764 ProtonVPN.exe RegSvcs.exe PID 1764 wrote to memory of 592 1764 ProtonVPN.exe WerFault.exe PID 1764 wrote to memory of 592 1764 ProtonVPN.exe WerFault.exe PID 1764 wrote to memory of 592 1764 ProtonVPN.exe WerFault.exe PID 1764 wrote to memory of 592 1764 ProtonVPN.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe"C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-54-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1092-55-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1092-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1092-62-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB