Analysis
-
max time kernel
102s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2023 13:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ProtonVPN.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
ProtonVPN.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
ProtonVPN.exe
-
Size
1.3MB
-
MD5
d8560a7c131d8313f0f95e49e1aa0b73
-
SHA1
29eb7b94ca1d6d6fe2c4f37de6e89602d5cdab92
-
SHA256
7e59452c10d407a0ec3a91d67ef93acdd56b8070f57904fc26656883f12d07d0
-
SHA512
f65baaaab186c8fea4755486a03faf9589c65d910cd063320c7cc136e8022c2ccab4d7aef94dd2b1c8fe2a71a8d03d4ad0a2770240ea1dd9a5bf521f9f073f3b
-
SSDEEP
6144:Kqlq7ttfNq5vdvlomq+kc5SAOHFLSq4hZ/b+W6tKM5E5pe:K0q7ttfo5vvSLmq4b+WLpe
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
5b7eff386f31487f5db4c7f0e4006546
C2
http://165.232.118.86/
xor.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ProtonVPN.exedescription pid process target process PID 4348 set thread context of 1656 4348 ProtonVPN.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3912 4348 WerFault.exe ProtonVPN.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ProtonVPN.exedescription pid process target process PID 4348 wrote to memory of 1656 4348 ProtonVPN.exe RegSvcs.exe PID 4348 wrote to memory of 1656 4348 ProtonVPN.exe RegSvcs.exe PID 4348 wrote to memory of 1656 4348 ProtonVPN.exe RegSvcs.exe PID 4348 wrote to memory of 1656 4348 ProtonVPN.exe RegSvcs.exe PID 4348 wrote to memory of 1656 4348 ProtonVPN.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe"C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4348 -ip 43481⤵