0bef63123a8f21cb87cf4213e1c728a5137019c5a950580905a8f247c0b8c717

Resubmissions

10-09-2020 18:45

Target

coin.ex_.exe
Size

1.2MB
MD5

1c74690ed0ad28f73f1aa9c4e71ccafa
SHA1

e7f86a34f8f10a4476768dbbe29d9ff3f9e1e41a
SHA256

0bef63123a8f21cb87cf4213e1c728a5137019c5a950580905a8f247c0b8c717
SHA512

b2bbd1f2e948c5774793fdbe1181c1451c5b546866957c96c6b19858ae409b03630886bc41292f57aa33ed2ff64fb3f1185cfe4cb8a245cd130ae354d7e73462

Score

8^/10

upx

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/552-5-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-5-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-6-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-6-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-7-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-7-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-9-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/552-9-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 552	3488	coin.ex_.exe	78
PID 3488 set thread context of 1612	3488	coin.ex_.exe	81

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 7693fad7b387d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeCreatePagefilePrivilege	848	svchost.exe
Token: SeDebugPrivilege	3488	coin.ex_.exe
Token: SeLockMemoryPrivilege	552	notepad.exe
Token: SeLockMemoryPrivilege	552	notepad.exe
Token: SeDebugPrivilege	3488	coin.ex_.exe
Token: SeLockMemoryPrivilege	1612	notepad.exe
Token: SeLockMemoryPrivilege	1612	notepad.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3392	3488	coin.ex_.exe	75
PID 3488 wrote to memory of 3392	3488	coin.ex_.exe	75
PID 3488 wrote to memory of 3392	3488	coin.ex_.exe	75
PID 3392 wrote to memory of 1752	3392	cmd.exe	77
PID 3392 wrote to memory of 1752	3392	cmd.exe	77
PID 3392 wrote to memory of 1752	3392	cmd.exe	77
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 552	3488	coin.ex_.exe	78
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81
PID 3488 wrote to memory of 1612	3488	coin.ex_.exe	81

C:\Users\Admin\AppData\Local\Temp\coin.ex_.exe
"C:\Users\Admin\AppData\Local\Temp\coin.ex_.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:1752
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfg"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

memory/552-5-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/552-6-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/552-7-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/552-9-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download