Resubmissions
10-09-2020 18:45
200910-l3cbla5d7e 8Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
10-09-2020 18:45
Static task
static1
Behavioral task
behavioral2
Sample
coin.ex_.exe
Resource
win10v200722
0 signatures
0 seconds
General
-
Target
coin.ex_.exe
-
Size
1.2MB
-
MD5
1c74690ed0ad28f73f1aa9c4e71ccafa
-
SHA1
e7f86a34f8f10a4476768dbbe29d9ff3f9e1e41a
-
SHA256
0bef63123a8f21cb87cf4213e1c728a5137019c5a950580905a8f247c0b8c717
-
SHA512
b2bbd1f2e948c5774793fdbe1181c1451c5b546866957c96c6b19858ae409b03630886bc41292f57aa33ed2ff64fb3f1185cfe4cb8a245cd130ae354d7e73462
Score
8/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2016-6-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-6-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-7-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-7-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-8-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-8-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-10-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/2016-10-0x0000000000400000-0x0000000000504000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
coin.ex_.exedescription pid process target process PID 2044 set thread context of 2016 2044 coin.ex_.exe notepad.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
coin.ex_.exepid process 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe 2044 coin.ex_.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
coin.ex_.exenotepad.exedescription pid process Token: SeDebugPrivilege 2044 coin.ex_.exe Token: SeLockMemoryPrivilege 2016 notepad.exe Token: SeLockMemoryPrivilege 2016 notepad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
coin.ex_.execmd.exedescription pid process target process PID 2044 wrote to memory of 1940 2044 coin.ex_.exe cmd.exe PID 2044 wrote to memory of 1940 2044 coin.ex_.exe cmd.exe PID 2044 wrote to memory of 1940 2044 coin.ex_.exe cmd.exe PID 2044 wrote to memory of 1940 2044 coin.ex_.exe cmd.exe PID 1940 wrote to memory of 1900 1940 cmd.exe wscript.exe PID 1940 wrote to memory of 1900 1940 cmd.exe wscript.exe PID 1940 wrote to memory of 1900 1940 cmd.exe wscript.exe PID 1940 wrote to memory of 1900 1940 cmd.exe wscript.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe PID 2044 wrote to memory of 2016 2044 coin.ex_.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\coin.ex_.exe"C:\Users\Admin\AppData\Local\Temp\coin.ex_.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWScript "C:\ProgramData\GCxcrhlcfj\r.vbs"3⤵
- Drops startup file
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\GCxcrhlcfj\cfgi
-
C:\ProgramData\GCxcrhlcfj\r.vbs
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url
-
memory/1900-2-0x0000000000000000-mapping.dmp
-
memory/1900-4-0x00000000028B0000-0x00000000028B4000-memory.dmpFilesize
16KB
-
memory/1940-1-0x0000000000000000-mapping.dmp
-
memory/2016-6-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/2016-7-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/2016-8-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/2016-9-0x0000000000502B90-mapping.dmp
-
memory/2016-10-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/2044-0-0x00000000022E0000-0x00000000023E7000-memory.dmpFilesize
1.0MB