Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
85d9f56d801e415f5f6db447a179ae7c.exe
Resource
win7-20231129-en
General
-
Target
85d9f56d801e415f5f6db447a179ae7c.exe
-
Size
11.0MB
-
MD5
85d9f56d801e415f5f6db447a179ae7c
-
SHA1
72cc47e4f0f95e81f4256e026b9fcec5c81c3aea
-
SHA256
2301a78ac49dc9fd867992c2402ec8cac8f649955bfcc34f7fe8d9f0f4b4ff5b
-
SHA512
c134d344b0ab273bbfb19431ee829772df64368aca507429a45450d13d6bf52605ab8fef665819075e9b82fd9f5418c7a0ee2dcc9eef88937d613199dfbb9793
-
SSDEEP
196608:X5Z15/as0Rv8tY0hZm59VjeUZot30BJNCL98OzuZFm0IVu17+2CKj2T5zUa:pla3RvOY0zm9Vjdo3wJsr6me7+nbzr
Malware Config
Signatures
-
Raccoon Stealer V1 payload 8 IoCs
resource yara_rule behavioral2/memory/1088-21-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-20-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-28-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-31-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-37-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-38-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-40-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 behavioral2/memory/1088-140-0x00000000001F0000-0x00000000006DF000-memory.dmp family_raccoon_v1 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 85d9f56d801e415f5f6db447a179ae7c.exe -
Executes dropped EXE 3 IoCs
pid Process 1088 Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe 1120 Avira Phantom VPN 2.37.3.21018_MkaOe.exe 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp -
Loads dropped DLL 4 IoCs
pid Process 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp -
resource yara_rule behavioral2/files/0x00090000000231fb-4.dat themida behavioral2/memory/1088-17-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-19-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-21-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-20-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-28-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-31-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-37-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-38-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-40-0x00000000001F0000-0x00000000006DF000-memory.dmp themida behavioral2/memory/1088-140-0x00000000001F0000-0x00000000006DF000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1088 Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe 3736 85d9f56d801e415f5f6db447a179ae7c.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1120 Avira Phantom VPN 2.37.3.21018_MkaOe.exe 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3736 wrote to memory of 1088 3736 85d9f56d801e415f5f6db447a179ae7c.exe 86 PID 3736 wrote to memory of 1088 3736 85d9f56d801e415f5f6db447a179ae7c.exe 86 PID 3736 wrote to memory of 1088 3736 85d9f56d801e415f5f6db447a179ae7c.exe 86 PID 3736 wrote to memory of 1120 3736 85d9f56d801e415f5f6db447a179ae7c.exe 88 PID 3736 wrote to memory of 1120 3736 85d9f56d801e415f5f6db447a179ae7c.exe 88 PID 3736 wrote to memory of 1120 3736 85d9f56d801e415f5f6db447a179ae7c.exe 88 PID 1120 wrote to memory of 1868 1120 Avira Phantom VPN 2.37.3.21018_MkaOe.exe 89 PID 1120 wrote to memory of 1868 1120 Avira Phantom VPN 2.37.3.21018_MkaOe.exe 89 PID 1120 wrote to memory of 1868 1120 Avira Phantom VPN 2.37.3.21018_MkaOe.exe 89 PID 1868 wrote to memory of 2916 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 90 PID 1868 wrote to memory of 2916 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 90 PID 1868 wrote to memory of 2916 1868 Avira Phantom VPN 2.37.3.21018_MkaOe.tmp 90 PID 2916 wrote to memory of 1084 2916 net.exe 92 PID 2916 wrote to memory of 1084 2916 net.exe 92 PID 2916 wrote to memory of 1084 2916 net.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe"C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1088
-
-
C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp"C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp" /SL5="$11004E,8575473,64512,C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\net.exe"net" stop "AviraPhantomVPN"4⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "AviraPhantomVPN"5⤵PID:1084
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5f38a3c5571cb4959685057a59ecbb196
SHA1b3d206f07102ffcb2df110dcd6aa115cc504009a
SHA25658776f39a5ce939f23d7b0c4de7eb88380dd6c71204cf67c0254ae7805349c06
SHA512790270e607a30f65ddb18c77901b1921de0da10859a413fd24dc80e91dd678f33214d2da6081385a3ae57472eeaf25976fe26748af7ae57237b7282de9e83814
-
Filesize
638KB
MD51bf07b78d43b0ead52e2b2353a0e350e
SHA12317e146b9de2a10187bc0168306bd99eedf452f
SHA2563d4744a7b6ad9133769e09eb3ea23788452e9690ac88167ddaa87bf4487d0d3e
SHA5127fed8472f6fef87d2be5f374c145c437c44077ed033c9d8bc45f85895670d86aa1d0d57a038a741bf9043c8f2fd8daf79e970ff7592863c6bc929e5e435f4b90
-
Filesize
530KB
MD5d27474b15e347a299215fb1f2d64c9ad
SHA1f90cfa6e98427bb6fcde3c80b34fccb691a711a0
SHA2569821594292bb165c2a26b5ed66abe35a96cc41253dcac3eb6026eba8a7ab8bd0
SHA512c1e24062c2b7f5aa88674432248e0519c3f861aea68cb62102b6613b6a32159a8d335d18901864ffd25e9017c5027aca06647178f1b03f2cbf1be79a88005cf6
-
Filesize
1.7MB
MD510a3bc719f4991dd390597b84c7c1883
SHA1c22028d1092dab7ed0984b77c83482e38c48ccbb
SHA256674ac1d007d0e5bb5973ca266cfc9bc5d873994372fff791f01da36879842818
SHA512551e99404b5c11926cc1cf29def69778b43b829a297a027e2b335144e896e5a78e985a62546554a2b618bc13d267195713bb0651f00baca8454e181d6f657ad9
-
Filesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
Filesize
339KB
MD574f332ede4a4b3524fd56a6e70d6c857
SHA1af51e10d455e0f1d7ecb036d996bfc35ad06d65b
SHA2566053e41c0ec49e97c09fa322af6c200df3b93e7c01fcd5435f286b5fdd3ae651
SHA512a2a93c23e1d437f19017ce69d7a6a6f4e3713ecf7cd92f06b7ba3a439eb1a77e4ba2c8cc2928decce223664b2954fb94f1e64877228975423ebd706a9391aab9
-
Filesize
225KB
MD58087a5b88714afcd25ccbcf68cbccf6e
SHA1da3bce14741b55b10d3f67753e7e0ce1e7d05c38
SHA2567d75b75b6a6cc3ce02ecee9b27780fd586a985c367f1a100fd2ebad63e5d36c6
SHA5125d1c234c21a35e50af05288b3a4e7f057c27da616ffcfedae71c1d5062ca6ef232dabb221f028941f3ccd8a0cfbb3ac87daa69d0ee4ccfceac7c2bf16dfe7a2c
-
Filesize
507KB
MD569a5fdb213b1894feb501fd456b4e6c1
SHA125cd17a35611fb18aa24a6961890150fa33b97a3
SHA256632ab2def68eae6a09e8c9d2058f9da6be7a1aa136e7f48bc5450b9a16d80882
SHA51242c83ea1d0e34abec88674062fc7f4b8523e1fa3c31437daf66b752c42e807ee39e7580a6c5cf04c9fb8420b5da969321c228301d6b8eeb904661baf30475263
-
Filesize
440KB
MD5213ce408d1230a5618f456749863d051
SHA199058bed73639d6b0d8499cec23f714b6dd8184e
SHA256e49c5e435783767063e879222181ba559010fd6921aedde24f35a3642b5b6f8f
SHA512c0ca0299c2853f3fb8b6c8e3b03fd60bfe50bce09e5453fe659d54f10839e0f5274b74506752803df3677f3464f846a067650441e2514feb412f7cc0e027754b