Analysis
-
max time kernel
84s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 08:34
Static task
static1
Behavioral task
behavioral1
Sample
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
Resource
win10v2004-20220414-en
General
-
Target
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe
-
Size
19KB
-
MD5
822b6ee40e6a43272bdc7f913a0ee1de
-
SHA1
51efb6fafd128bd536047f9cbf10be874c65882c
-
SHA256
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17
-
SHA512
61629ca4db5511e6bd71186a39e20a4229b1dbc2d13cefa7aebc871c1b7f3714988b77d7a3015fe64e73135ac9f48911dd1ec93f6b6618facc2ed7c6a6ce104d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
coiome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" coiome.exe -
Executes dropped EXE 1 IoCs
Processes:
coiome.exepid process 1880 coiome.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exepid process 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvy\\coiome.exe" mshta.exe -
Drops file in Program Files directory 5 IoCs
Processes:
coiome.exe21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\sfbsbvy coiome.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvy 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe File created C:\Program Files (x86)\EHO.hta 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe File created C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1600 sc.exe 280 sc.exe 576 sc.exe 1804 sc.exe 1432 sc.exe 1784 sc.exe 1800 sc.exe 240 sc.exe 1484 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1812 taskkill.exe 1668 taskkill.exe 1588 taskkill.exe -
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.2345.com/?kkkbaidu" mshta.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.2345.com/?kkkbaidu" mshta.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
mshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?kkkbaidu" mshta.exe -
Modifies registry class 2 IoCs
Processes:
coiome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome" coiome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command coiome.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
coiome.exepid process 1880 coiome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exetaskkill.execoiome.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1880 coiome.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.execmd.execoiome.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1068 wrote to memory of 756 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe mshta.exe PID 1068 wrote to memory of 756 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe mshta.exe PID 1068 wrote to memory of 756 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe mshta.exe PID 1068 wrote to memory of 756 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe mshta.exe PID 1068 wrote to memory of 832 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe cmd.exe PID 1068 wrote to memory of 832 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe cmd.exe PID 1068 wrote to memory of 832 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe cmd.exe PID 1068 wrote to memory of 832 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe cmd.exe PID 832 wrote to memory of 1668 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1668 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1668 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1668 832 cmd.exe taskkill.exe PID 1068 wrote to memory of 1880 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe coiome.exe PID 1068 wrote to memory of 1880 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe coiome.exe PID 1068 wrote to memory of 1880 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe coiome.exe PID 1068 wrote to memory of 1880 1068 21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe coiome.exe PID 1880 wrote to memory of 1048 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1048 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1048 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1048 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1320 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1320 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1320 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1320 1880 coiome.exe cmd.exe PID 1048 wrote to memory of 280 1048 cmd.exe sc.exe PID 1048 wrote to memory of 280 1048 cmd.exe sc.exe PID 1048 wrote to memory of 280 1048 cmd.exe sc.exe PID 1048 wrote to memory of 280 1048 cmd.exe sc.exe PID 1320 wrote to memory of 1588 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1588 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1588 1320 cmd.exe taskkill.exe PID 1320 wrote to memory of 1588 1320 cmd.exe taskkill.exe PID 1880 wrote to memory of 1600 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1600 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1600 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1600 1880 coiome.exe cmd.exe PID 1600 wrote to memory of 1812 1600 cmd.exe taskkill.exe PID 1600 wrote to memory of 1812 1600 cmd.exe taskkill.exe PID 1600 wrote to memory of 1812 1600 cmd.exe taskkill.exe PID 1600 wrote to memory of 1812 1600 cmd.exe taskkill.exe PID 1880 wrote to memory of 1792 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1792 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1792 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1792 1880 coiome.exe cmd.exe PID 1792 wrote to memory of 1800 1792 cmd.exe sc.exe PID 1792 wrote to memory of 1800 1792 cmd.exe sc.exe PID 1792 wrote to memory of 1800 1792 cmd.exe sc.exe PID 1792 wrote to memory of 1800 1792 cmd.exe sc.exe PID 1880 wrote to memory of 940 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 940 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 940 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 940 1880 coiome.exe cmd.exe PID 940 wrote to memory of 576 940 cmd.exe sc.exe PID 940 wrote to memory of 576 940 cmd.exe sc.exe PID 940 wrote to memory of 576 940 cmd.exe sc.exe PID 940 wrote to memory of 576 940 cmd.exe sc.exe PID 1880 wrote to memory of 1596 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1596 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1596 1880 coiome.exe cmd.exe PID 1880 wrote to memory of 1596 1880 coiome.exe cmd.exe PID 1596 wrote to memory of 240 1596 cmd.exe sc.exe PID 1596 wrote to memory of 240 1596 cmd.exe sc.exe PID 1596 wrote to memory of 240 1596 cmd.exe sc.exe PID 1596 wrote to memory of 240 1596 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe"C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\EHO.hta"2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im coiome.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im coiome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete JavaServe3⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\sc.exesc delete JavaServe4⤵
- Launches sc.exe
PID:280 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im iejore.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im iejore.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im conime.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im conime.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\cmd.execmd /c sc stop LYTC3⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\sc.exesc stop LYTC4⤵
- Launches sc.exe
PID:1800 -
C:\Windows\SysWOW64\cmd.execmd /c sc stop Messenger3⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\sc.exesc stop Messenger4⤵
- Launches sc.exe
PID:576 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete Messenger3⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\sc.exesc delete Messenger4⤵
- Launches sc.exe
PID:240 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete LYTC3⤵PID:860
-
C:\Windows\SysWOW64\sc.exesc delete LYTC4⤵
- Launches sc.exe
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd /c sc stop IE_WinserverName3⤵PID:1052
-
C:\Windows\SysWOW64\sc.exesc stop IE_WinserverName4⤵
- Launches sc.exe
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete IE_WinserverName3⤵PID:1684
-
C:\Windows\SysWOW64\sc.exesc delete IE_WinserverName4⤵
- Launches sc.exe
PID:1432 -
C:\Windows\SysWOW64\cmd.execmd /c sc stop HidServ3⤵PID:904
-
C:\Windows\SysWOW64\sc.exesc stop HidServ4⤵
- Launches sc.exe
PID:1784 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete HidServ3⤵PID:1728
-
C:\Windows\SysWOW64\sc.exesc delete HidServ4⤵
- Launches sc.exe
PID:1600 -
C:\Windows\SysWOW64\cmd.execmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n3⤵PID:1092
-
C:\Windows\SysWOW64\cacls.execacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n4⤵PID:796
-
C:\Windows\SysWOW64\cmd.execmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n3⤵PID:1848
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n4⤵PID:1492
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\21734f9be2c9d275c73596de56a06c6d526e0be43730cd78b26c1e0b19eb4b17.exe"2⤵PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5bc0d0ff15cec70aff63910382a4dc359
SHA1031794fd0b126e602770a5b3149cff34d57b5c66
SHA2568aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147
SHA512b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477
-
Filesize
785B
MD574ccbce1e5800180a01fb299767e310c
SHA15eee44303a3800e0ac31a103538dccfe4ffa57b2
SHA2567c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec
SHA512581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8
-
Filesize
4.0MB
MD5bc0d0ff15cec70aff63910382a4dc359
SHA1031794fd0b126e602770a5b3149cff34d57b5c66
SHA2568aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147
SHA512b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477
-
Filesize
4.0MB
MD5bc0d0ff15cec70aff63910382a4dc359
SHA1031794fd0b126e602770a5b3149cff34d57b5c66
SHA2568aaeace4314b159bcea655bb0080007f8b68c896a48661dc26f04c5b607eb147
SHA512b17f5adf4de9b5415ff28f860eb44c9d6d0143dc3e5819e09f976d01a562d730a17cd9705fc34d5522c8406f3cedc8d5344dd92bac9221bf44556434c6ed3477