Malware Analysis Report

2025-04-14 08:16

Sample ID 240201-edtwbacfam
Target 85d9f56d801e415f5f6db447a179ae7c
SHA256 2301a78ac49dc9fd867992c2402ec8cac8f649955bfcc34f7fe8d9f0f4b4ff5b
Tags
raccoon evasion stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2301a78ac49dc9fd867992c2402ec8cac8f649955bfcc34f7fe8d9f0f4b4ff5b

Threat Level: Known bad

The file 85d9f56d801e415f5f6db447a179ae7c was found to be: Known bad.

Malicious Activity Summary

raccoon evasion stealer themida trojan

Raccoon Stealer V1 payload

Raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 03:50

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 03:49

Reported

2024-02-01 03:52

Platform

win7-20231129-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2768 wrote to memory of 2492 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 2492 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 2496 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2496 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe

"C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"

C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

"C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe"

C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp" /SL5="$4014E,8575473,64512,C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"

C:\Windows\SysWOW64\net.exe

"net" stop "AviraPhantomVPN"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AviraPhantomVPN"

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

"C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp

Files

C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 5b54a54bdb673ce98388fcb27beac6b5
SHA1 0b4f478e72367f511a74b5ff68857ea614f648b8
SHA256 501ab825839993f55d197b2a0e39999a065766112ca7117cc87c1c2f6d96edea
SHA512 69b0242402ec065b72b08d3939756efeaa146ae5dfcf571a019337c90528cd467c8c993d66379dd6c07aadfbb9a3f77ed09f2d9fbf7baa81dd398a4f38d2f1c4

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 656d7a4c98fc6ed2b66b1547f927732a
SHA1 f02b928fcccab5922db8177aa3ffc08deb2e1b2f
SHA256 431fb2ecae60611a91416f96e518d07a4e9eba413d0d5a0ccad8f32fb91747ec
SHA512 56019177c281fd5722723f5c3ca29b5344aa87108da75cec52d32f09ce709e2e706cdab3e302f762ee35637970494479db9baa827657ceef3caebff24f029c6c

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 2fbc83a3a9870dd9afd6a8731f6852bc
SHA1 32194e1410ecf389de8e20e61388222dc5c158f3
SHA256 66f71822d0324a5ed0efa4f1286802add350e85c420ae8abc3d268bfb5e84e56
SHA512 ac5dec25cb29ac1c06a16800323b6d4955ca0d528ac14376ebe66ffd4209e84f1a5e24cfbacb1d334f827209da6dc1c8187433b01344bf5210412d1d5846b4e1

C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 fdac32c5f772128ddbd918e1d76dbb54
SHA1 6e483f95981feaa2857d511b1a7130ac17bf2c16
SHA256 098f128f82b2c2f1f35c0241ec15bd1b5afeac1753b07d60576f9c4a448c0f2e
SHA512 ff13aa45f9887f2b7663d1676c7a51029ccab3edd4d36ca4dff8ec1894e55ecece8f00d76ffadc6ffd82e11b753262ba085c75c10cc0d42bb617171f0a336a8d

memory/2032-24-0x0000000004CD0000-0x00000000051BF000-memory.dmp

memory/1032-26-0x0000000001260000-0x000000000174F000-memory.dmp

memory/1032-25-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-32-0x0000000001260000-0x000000000174F000-memory.dmp

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 53d41b4b71d8f30ef9ecbaca5fec5366
SHA1 d639d2651dafb51949cb8cb7d402cd174f73fa24
SHA256 996b23093807a3f31829cf05619a1bc3fd1167275d0de1db32db8136e4d009cb
SHA512 dadd73bab17e33fa2e3036dbe0e9e04f423fee34f0c4e0456e449db8e5b45631946616ddd2d7708e30f2a2c03cc3b7c07fb766d782c552bd6de051bbc888e083

memory/1032-35-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-37-0x0000000001260000-0x000000000174F000-memory.dmp

memory/1032-36-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-39-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1032-40-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-38-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-43-0x0000000000980000-0x0000000000E6F000-memory.dmp

\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 da2348c6f8c23358c373697263375c19
SHA1 42e1e4623014c00685b5170287ea6566b950776d
SHA256 9703e209686746408cde7ef019d761b1e80851ebe3ac5a330bb59c74b3f0d191
SHA512 44f66e13139782b9b677d56b8c54b4c01246a4006e2a1d7d1091897d906ae92fb5666d4001449417360820fa7cb323aa973a685b0592ea8f9fda1106dcacbe83

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 79e14cd55c8922cb7c9af8b4df8b4d49
SHA1 ca6f4f0cd1c5bf8b2bbb06d5df2e86b8549db533
SHA256 9d18e15a0d5ae00bf0346cfe81a49ca3db9c4688465140f0f925199db4b5517b
SHA512 8ccfea34292286264573d96833fc758af094eb475ec0ff09be58f0c411b822148715124216126ec0525a852d5cb41b3a01742cf71596048d2d69ed8049c8cdc3

memory/2768-59-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2768-56-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

MD5 f5ff51c6a1a179b056b9e2c8edb51aaf
SHA1 ca38824a46ef2aa42f0c324919fd6e163911e03b
SHA256 db929214c02015c69878c42aceee72a53ad150d1d15195758aae01b7fbf432b6
SHA512 1bd618732252c14ac131b89c71df1980eb0edca1290dff9ad1c79b213b5356d57f6fe39ad83d15706bb021aca225745c01e8049017fc31400985333f7a2ef110

\Users\Admin\AppData\Local\Temp\is-7DUFE.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

MD5 f14b7897405afc6bee8543255fc3810d
SHA1 61a73250c24fa20de590600fd1bc60fc34951756
SHA256 7a8814f10d96e3fd0142def898b512bb69047aeeea5b8d7454c45ae89e7f958c
SHA512 df9db33494e40e4e207c620e7d5385f68758c49aadc69333cc6a448627727cf9f4b1d32ef7c657f02f459abe8013098fa20718adece0d1d8f06159ce1274df0f

\Users\Admin\AppData\Local\Temp\is-J8UQE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2492-65-0x0000000000280000-0x0000000000281000-memory.dmp

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 b4f8807ff5a4191c5aa3a8d2dedc92d7
SHA1 aa61529989bf348c87e061932cc6062d602da0c4
SHA256 2cd8c2ef843fcf4c1a5d9710ff6485a950e4e3b1a577f008f4f1a3615310918c
SHA512 99bcb7fc7d7825083c30dc4c24a3b910d238350f52aa64816b79b9a029e3f593c2a42a2bdc94d0a2fb391872af4742f8dbbc823822a7aab1976bec20bada1a19

\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 06a90d50eb54e38079d8b43f737dcad6
SHA1 54ad77abb2fa51c9110b3e93d508821eafde05eb
SHA256 5b758a3eaa0f38dd257e947803310ddabe61bbaf3ff82ab7ce97b57cee4114da
SHA512 0544a4de57ed00cdaff597c7bb67c161dedaf0280cae3f6197e63e5ef3d88f53df97de1f54695b40173b8427bdc25f1c2aa49d793b17c63602833a67b97245ab

\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 73013ff771f27d729545e48b0853f048
SHA1 984e9ea4d6b4c5d231bb265ef453bfd7e0a19615
SHA256 0011b74e7b274db6a6591708c776a613b04829a58ff67580a29c9ba0c463f92c
SHA512 ff3ee0dc834004f11baca3e33e2d7c6f7fe01e144af762fee12e5040213a2b6ed41efce23632e44fd2fff435b2e2353a9468f72ae2e7c47b68e377e025f8b8e3

memory/2492-76-0x0000000000880000-0x0000000000896000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-J8UQE.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/2492-80-0x00000000071E0000-0x00000000074FA000-memory.dmp

memory/2492-93-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-108-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-117-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-126-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-134-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-133-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2492-132-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-131-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-130-0x0000000002170000-0x0000000002171000-memory.dmp

memory/2492-129-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-128-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-127-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2492-125-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-124-0x0000000002150000-0x0000000002151000-memory.dmp

memory/2492-123-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-122-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-121-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2492-120-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-119-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-118-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2492-116-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-115-0x0000000002120000-0x0000000002121000-memory.dmp

memory/2492-114-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-113-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-112-0x0000000002110000-0x0000000002111000-memory.dmp

memory/2492-111-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-110-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-109-0x0000000002100000-0x0000000002101000-memory.dmp

memory/2492-107-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-106-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2492-105-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-104-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-103-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2492-102-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-101-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-100-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2492-99-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-98-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-97-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2492-96-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-95-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-94-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2492-92-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-91-0x0000000001F90000-0x0000000001F91000-memory.dmp

memory/2492-144-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/2492-90-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-89-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-88-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2492-87-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-86-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-85-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2492-84-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-83-0x0000000007500000-0x0000000007640000-memory.dmp

memory/2492-82-0x0000000001F60000-0x0000000001F61000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-J8UQE.tmp\VclStylesInno.dll

MD5 3c625f6bf1e338cf527863753a0d1d44
SHA1 bb972753b3b80d16e48b6966b22301ad5ec8b721
SHA256 3e2313a7d825698d7622a6d350da5a79436eca52f91b6057579de68fb582bbdf
SHA512 c8f6455b89efe490d59ee8a3c28888e2e5e0dd180a5ee870cfb18e189ace8db491c3932df0bf2bccc3d678f8180de78b6331032f181f730015f4220d84da62d3

\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 5df9077a4e766a6ddf6b80f7e18c480c
SHA1 63bdb598ae87ccc2ff7b06e62b768e4fac77c1a8
SHA256 5a06c252f7553e078cfd7637fd7cea0d094b83970aba9c8c5f6178ec6257d178
SHA512 fc11aee1426b888582d270a7fc972266b0c46253be1a037e1377b0c2d9b294a5a67ba6ce01ea8d44d4917676105152805ee0ebeb54a771d6bfa43016657ba7f0

memory/1032-42-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/1032-41-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/2032-34-0x0000000004CD0000-0x00000000051BF000-memory.dmp

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 b4434d187ba2a017ca0f6c5140fec8c3
SHA1 70add1fa881864db7467cd529dd17277f85fdd19
SHA256 0d8e68e6dafee4c999d5109040a20d72a272e866b492f15f49666afba6706753
SHA512 3c574851295cae0bde0f2a4faa3511ca28e8ca4906a2257a41fd96f404838704b6ddc0f8eba56bb4aacb0ae5906349488c8a214bcdb07e8343f7424ceb429b73

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 3d331a5963505dec975fb29afa2add91
SHA1 65107abd3e67fe4109a86a4822056a8db11d5374
SHA256 6d69fc8caa71377b64ab0b31a1d3d99879a705653ea668628c35903b2a0cc1a8
SHA512 f5224f1fdae88910c0bc2b7361a14d5a347458b27e934946fc9b8a961a62b534e96ef0c0e468082849127739c9324907d8362dc03f9911eb9a63f575560ad628

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 d4e0def2581624ad20fcf08dfadfc123
SHA1 a997a136e5a10de3416173304841a695110262de
SHA256 a40054516c028815f4144f558b0052b01eaf52008d331d4887bb569618d11f5a
SHA512 d96bdddde51855e506dcad1b81ccf450704c39f30ce9c1c8e8c100dae713ea82752c8ff5aa82a82f80e2ef07f278dde268171f46e20821ee7d1da9b8a9ed5413

C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 827fa302062de7762a7fd758e4f0582d
SHA1 9a42985e0fcf696beb9cd7dbd360c95fa3b8b0c4
SHA256 e74e68f1466d4f18b5f6867dca466ceb7b7269bbb7068fe7018c0400e91c0230
SHA512 dea21dd5367e468dc3d1a090f56e75e65b52538b554fb8aca1f1136e0ab543a02cbd02f73503f613074bfddab50800f55ef9d045811aac74560e8886039b0ff0

memory/2032-19-0x0000000004CD0000-0x00000000051BF000-memory.dmp

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 789915bbe60392f0fb8c153e14221c8d
SHA1 572ebb5d9c3caee779bd1b82ac142fcbe9760e9d
SHA256 81328059c0d7c5e909de7b3cfaf1ba2ad5e923b00a5939c4053b98fb792ec1d7
SHA512 535d3339eb5047652312520cebb819a07898272c21d134255afe2a0b292f72715200e2f90bef7c8212ce72c313667f26d4adbfabf240956f132beab270a63f22

\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

MD5 d6503547065389d4f9ac762201e6eaf2
SHA1 a558bb42ec6d82346ca3437703caffacc5339a09
SHA256 f0d7756c601e78744e4846ea54116f01629278a5a7be933e670ddc715ca1f5fc
SHA512 e05bed4dcf58b1df94da4f678f80dbe85844cf7216b8b8e98a6aad8bd323247880f33669ef16dcee341b382b5a65f27efc09227fbc82bcde1dd79baee894186f

memory/1032-153-0x0000000001260000-0x000000000174F000-memory.dmp

memory/1032-152-0x0000000000980000-0x0000000000E6F000-memory.dmp

memory/2768-155-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2492-160-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2492-161-0x0000000001F40000-0x0000000001F41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 03:49

Reported

2024-02-01 03:52

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe
PID 3736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 3736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 3736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe
PID 1120 wrote to memory of 1868 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 1120 wrote to memory of 1868 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 1120 wrote to memory of 1868 N/A C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp
PID 1868 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 1868 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 1868 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp C:\Windows\SysWOW64\net.exe
PID 2916 wrote to memory of 1084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2916 wrote to memory of 1084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2916 wrote to memory of 1084 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe

"C:\Users\Admin\AppData\Local\Temp\85d9f56d801e415f5f6db447a179ae7c.exe"

C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe

"C:\ProgramData\Avira Phantom VPN 2.37.3.21018.Svc_xR0E5.exe"

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

"C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"

C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp" /SL5="$11004E,8575473,64512,C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe"

C:\Windows\SysWOW64\net.exe

"net" stop "AviraPhantomVPN"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "AviraPhantomVPN"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut4B70.tmp

MD5 10a3bc719f4991dd390597b84c7c1883
SHA1 c22028d1092dab7ed0984b77c83482e38c48ccbb
SHA256 674ac1d007d0e5bb5973ca266cfc9bc5d873994372fff791f01da36879842818
SHA512 551e99404b5c11926cc1cf29def69778b43b829a297a027e2b335144e896e5a78e985a62546554a2b618bc13d267195713bb0651f00baca8454e181d6f657ad9

memory/1088-17-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-18-0x0000000077274000-0x0000000077276000-memory.dmp

memory/1088-19-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-21-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-20-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-28-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-31-0x00000000001F0000-0x00000000006DF000-memory.dmp

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 f38a3c5571cb4959685057a59ecbb196
SHA1 b3d206f07102ffcb2df110dcd6aa115cc504009a
SHA256 58776f39a5ce939f23d7b0c4de7eb88380dd6c71204cf67c0254ae7805349c06
SHA512 790270e607a30f65ddb18c77901b1921de0da10859a413fd24dc80e91dd678f33214d2da6081385a3ae57472eeaf25976fe26748af7ae57237b7282de9e83814

memory/1088-37-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-38-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1088-40-0x00000000001F0000-0x00000000006DF000-memory.dmp

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 1bf07b78d43b0ead52e2b2353a0e350e
SHA1 2317e146b9de2a10187bc0168306bd99eedf452f
SHA256 3d4744a7b6ad9133769e09eb3ea23788452e9690ac88167ddaa87bf4487d0d3e
SHA512 7fed8472f6fef87d2be5f374c145c437c44077ed033c9d8bc45f85895670d86aa1d0d57a038a741bf9043c8f2fd8daf79e970ff7592863c6bc929e5e435f4b90

C:\ProgramData\Avira Phantom VPN 2.37.3.21018_MkaOe.exe

MD5 d27474b15e347a299215fb1f2d64c9ad
SHA1 f90cfa6e98427bb6fcde3c80b34fccb691a711a0
SHA256 9821594292bb165c2a26b5ed66abe35a96cc41253dcac3eb6026eba8a7ab8bd0
SHA512 c1e24062c2b7f5aa88674432248e0519c3f861aea68cb62102b6613b6a32159a8d335d18901864ffd25e9017c5027aca06647178f1b03f2cbf1be79a88005cf6

memory/1120-43-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

MD5 213ce408d1230a5618f456749863d051
SHA1 99058bed73639d6b0d8499cec23f714b6dd8184e
SHA256 e49c5e435783767063e879222181ba559010fd6921aedde24f35a3642b5b6f8f
SHA512 c0ca0299c2853f3fb8b6c8e3b03fd60bfe50bce09e5453fe659d54f10839e0f5274b74506752803df3677f3464f846a067650441e2514feb412f7cc0e027754b

C:\Users\Admin\AppData\Local\Temp\is-RBUKG.tmp\Avira Phantom VPN 2.37.3.21018_MkaOe.tmp

MD5 69a5fdb213b1894feb501fd456b4e6c1
SHA1 25cd17a35611fb18aa24a6961890150fa33b97a3
SHA256 632ab2def68eae6a09e8c9d2058f9da6be7a1aa136e7f48bc5450b9a16d80882
SHA512 42c83ea1d0e34abec88674062fc7f4b8523e1fa3c31437daf66b752c42e807ee39e7580a6c5cf04c9fb8420b5da969321c228301d6b8eeb904661baf30475263

memory/1868-52-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/1868-67-0x00000000074F0000-0x000000000780A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-82QVM.tmp\VclStylesInno.dll

MD5 8087a5b88714afcd25ccbcf68cbccf6e
SHA1 da3bce14741b55b10d3f67753e7e0ce1e7d05c38
SHA256 7d75b75b6a6cc3ce02ecee9b27780fd586a985c367f1a100fd2ebad63e5d36c6
SHA512 5d1c234c21a35e50af05288b3a4e7f057c27da616ffcfedae71c1d5062ca6ef232dabb221f028941f3ccd8a0cfbb3ac87daa69d0ee4ccfceac7c2bf16dfe7a2c

C:\Users\Admin\AppData\Local\Temp\is-82QVM.tmp\VclStylesInno.dll

MD5 74f332ede4a4b3524fd56a6e70d6c857
SHA1 af51e10d455e0f1d7ecb036d996bfc35ad06d65b
SHA256 6053e41c0ec49e97c09fa322af6c200df3b93e7c01fcd5435f286b5fdd3ae651
SHA512 a2a93c23e1d437f19017ce69d7a6a6f4e3713ecf7cd92f06b7ba3a439eb1a77e4ba2c8cc2928decce223664b2954fb94f1e64877228975423ebd706a9391aab9

memory/1868-60-0x00000000072C0000-0x00000000072D6000-memory.dmp

memory/1868-75-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-74-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-77-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-78-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-79-0x0000000007980000-0x0000000007981000-memory.dmp

memory/1868-81-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-80-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-76-0x0000000007970000-0x0000000007971000-memory.dmp

memory/1868-73-0x0000000007960000-0x0000000007961000-memory.dmp

memory/1868-72-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-71-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-70-0x0000000007950000-0x0000000007951000-memory.dmp

memory/1868-83-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-84-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-85-0x00000000079A0000-0x00000000079A1000-memory.dmp

memory/1868-82-0x0000000007990000-0x0000000007991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-82QVM.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/1868-87-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-86-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-92-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-99-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-102-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-101-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-100-0x00000000079F0000-0x00000000079F1000-memory.dmp

memory/1868-107-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-112-0x0000000007A30000-0x0000000007A31000-memory.dmp

memory/1868-118-0x0000000007A50000-0x0000000007A51000-memory.dmp

memory/1868-121-0x0000000007A60000-0x0000000007A61000-memory.dmp

memory/1868-120-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-119-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-117-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-116-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-115-0x0000000007A40000-0x0000000007A41000-memory.dmp

memory/1868-114-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-113-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-111-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-110-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-109-0x0000000007A20000-0x0000000007A21000-memory.dmp

memory/1868-108-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-106-0x0000000007A10000-0x0000000007A11000-memory.dmp

memory/1868-105-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-132-0x00000000072B0000-0x00000000072B1000-memory.dmp

memory/1868-103-0x0000000007A00000-0x0000000007A01000-memory.dmp

memory/1868-104-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-98-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-97-0x00000000079E0000-0x00000000079E1000-memory.dmp

memory/1868-96-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-95-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-94-0x00000000079D0000-0x00000000079D1000-memory.dmp

memory/1868-93-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-91-0x00000000079C0000-0x00000000079C1000-memory.dmp

memory/1868-90-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-89-0x0000000007810000-0x0000000007950000-memory.dmp

memory/1868-88-0x00000000079B0000-0x00000000079B1000-memory.dmp

memory/1088-140-0x00000000001F0000-0x00000000006DF000-memory.dmp

memory/1120-141-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1868-147-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/1868-148-0x00000000072B0000-0x00000000072B1000-memory.dmp