Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
Resource
win10v2004-20220812-en
General
-
Target
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
-
Size
6.0MB
-
MD5
fd4db948be621f87de27f230c3169101
-
SHA1
b1bb461b69897da482978e696040c074b3691680
-
SHA256
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5
-
SHA512
dac0fa6e594b980217f4bfd138b652fed4cc6da07135ae5847f77948ad4446633ae7fb279464e6d281c2395ea4e76d8ec26d7c204e599e181c4a2de6bc699375
-
SSDEEP
384:swGx6sLtvVTdvI269d/61zJ4AZ9uFVPSaNJawcudoD7UwQu:S6gtldvIbj61zJzIznbcuyD7Uwz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1380 coiome.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
pid Process 1000 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe" mshta.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx coiome.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File created C:\Program Files (x86)\RMJ.hta e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File created C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1276 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1836 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com" mshta.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com" mshta.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1380 coiome.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1608 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 28 PID 2032 wrote to memory of 1608 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 28 PID 2032 wrote to memory of 1608 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 28 PID 2032 wrote to memory of 1608 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 28 PID 2032 wrote to memory of 760 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 30 PID 2032 wrote to memory of 760 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 30 PID 2032 wrote to memory of 760 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 30 PID 2032 wrote to memory of 760 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 30 PID 760 wrote to memory of 1836 760 cmd.exe 32 PID 760 wrote to memory of 1836 760 cmd.exe 32 PID 760 wrote to memory of 1836 760 cmd.exe 32 PID 760 wrote to memory of 1836 760 cmd.exe 32 PID 2032 wrote to memory of 1380 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 34 PID 2032 wrote to memory of 1380 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 34 PID 2032 wrote to memory of 1380 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 34 PID 2032 wrote to memory of 1380 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 34 PID 2032 wrote to memory of 1000 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 35 PID 2032 wrote to memory of 1000 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 35 PID 2032 wrote to memory of 1000 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 35 PID 2032 wrote to memory of 1000 2032 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 35 PID 1380 wrote to memory of 976 1380 coiome.exe 38 PID 1380 wrote to memory of 976 1380 coiome.exe 38 PID 1380 wrote to memory of 976 1380 coiome.exe 38 PID 1380 wrote to memory of 976 1380 coiome.exe 38 PID 1380 wrote to memory of 1324 1380 coiome.exe 40 PID 1380 wrote to memory of 1324 1380 coiome.exe 40 PID 1380 wrote to memory of 1324 1380 coiome.exe 40 PID 1380 wrote to memory of 1324 1380 coiome.exe 40 PID 976 wrote to memory of 1276 976 cmd.exe 42 PID 976 wrote to memory of 1276 976 cmd.exe 42 PID 976 wrote to memory of 1276 976 cmd.exe 42 PID 976 wrote to memory of 1276 976 cmd.exe 42 PID 1324 wrote to memory of 1936 1324 cmd.exe 43 PID 1324 wrote to memory of 1936 1324 cmd.exe 43 PID 1324 wrote to memory of 1936 1324 cmd.exe 43 PID 1324 wrote to memory of 1936 1324 cmd.exe 43 PID 1380 wrote to memory of 1816 1380 coiome.exe 44 PID 1380 wrote to memory of 1816 1380 coiome.exe 44 PID 1380 wrote to memory of 1816 1380 coiome.exe 44 PID 1380 wrote to memory of 1816 1380 coiome.exe 44 PID 1816 wrote to memory of 1428 1816 cmd.exe 46 PID 1816 wrote to memory of 1428 1816 cmd.exe 46 PID 1816 wrote to memory of 1428 1816 cmd.exe 46 PID 1816 wrote to memory of 1428 1816 cmd.exe 46 PID 1380 wrote to memory of 1972 1380 coiome.exe 47 PID 1380 wrote to memory of 1972 1380 coiome.exe 47 PID 1380 wrote to memory of 1972 1380 coiome.exe 47 PID 1380 wrote to memory of 1972 1380 coiome.exe 47 PID 1380 wrote to memory of 1624 1380 coiome.exe 49 PID 1380 wrote to memory of 1624 1380 coiome.exe 49 PID 1380 wrote to memory of 1624 1380 coiome.exe 49 PID 1380 wrote to memory of 1624 1380 coiome.exe 49 PID 1380 wrote to memory of 1660 1380 coiome.exe 51 PID 1380 wrote to memory of 1660 1380 coiome.exe 51 PID 1380 wrote to memory of 1660 1380 coiome.exe 51 PID 1380 wrote to memory of 1660 1380 coiome.exe 51 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1936 attrib.exe 1428 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\RMJ.hta"2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1608
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im coiome.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im coiome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete JavaServe3⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\sc.exesc delete JavaServe4⤵
- Launches sc.exe
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"3⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"4⤵
- Views/modifies file attributes
PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"3⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"4⤵
- Views/modifies file attributes
PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Cookies\*.*3⤵PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"3⤵PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"2⤵
- Deletes itself
PID:1000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.0MB
MD5b31eb4be30026c5a0fab74d5d7b33673
SHA114cc9ed284bc2e68d820e08e63fca4af645d1dd8
SHA256811b25d82b377bdf6aac994c2e7d529c32e663f4030d6c40018770abf5b84f11
SHA51239258ae32d5215fb4c4583455088db2b0e016f8979e8ff68ee3247e046d6dbc46064182a18f7b62cad5612831f3f60bd1eae73707a85d05d58367f86829ce46b
-
Filesize
780B
MD5cfae0efb683986503bb789616bad8b55
SHA19325f503e9c4d97a7d06d81859f73d245a974753
SHA2568f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8
SHA512e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c
-
Filesize
8.0MB
MD5b31eb4be30026c5a0fab74d5d7b33673
SHA114cc9ed284bc2e68d820e08e63fca4af645d1dd8
SHA256811b25d82b377bdf6aac994c2e7d529c32e663f4030d6c40018770abf5b84f11
SHA51239258ae32d5215fb4c4583455088db2b0e016f8979e8ff68ee3247e046d6dbc46064182a18f7b62cad5612831f3f60bd1eae73707a85d05d58367f86829ce46b
-
Filesize
8.0MB
MD5b31eb4be30026c5a0fab74d5d7b33673
SHA114cc9ed284bc2e68d820e08e63fca4af645d1dd8
SHA256811b25d82b377bdf6aac994c2e7d529c32e663f4030d6c40018770abf5b84f11
SHA51239258ae32d5215fb4c4583455088db2b0e016f8979e8ff68ee3247e046d6dbc46064182a18f7b62cad5612831f3f60bd1eae73707a85d05d58367f86829ce46b