Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
Resource
win10v2004-20220812-en
General
-
Target
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe
-
Size
6.0MB
-
MD5
fd4db948be621f87de27f230c3169101
-
SHA1
b1bb461b69897da482978e696040c074b3691680
-
SHA256
e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5
-
SHA512
dac0fa6e594b980217f4bfd138b652fed4cc6da07135ae5847f77948ad4446633ae7fb279464e6d281c2395ea4e76d8ec26d7c204e599e181c4a2de6bc699375
-
SSDEEP
384:swGx6sLtvVTdvI269d/61zJ4AZ9uFVPSaNJawcudoD7UwQu:S6gtldvIbj61zJzIznbcuyD7Uwz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3068 coiome.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe" mshta.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File created C:\Program Files (x86)\IHC.hta e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File created C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx coiome.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 368 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 5092 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com" mshta.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com" mshta.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com" mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe Token: SeDebugPrivilege 5092 taskkill.exe Token: SeDebugPrivilege 3068 coiome.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4140 wrote to memory of 3236 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 79 PID 4140 wrote to memory of 3236 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 79 PID 4140 wrote to memory of 3236 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 79 PID 4140 wrote to memory of 3396 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 80 PID 4140 wrote to memory of 3396 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 80 PID 4140 wrote to memory of 3396 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 80 PID 3396 wrote to memory of 5092 3396 cmd.exe 82 PID 3396 wrote to memory of 5092 3396 cmd.exe 82 PID 3396 wrote to memory of 5092 3396 cmd.exe 82 PID 4140 wrote to memory of 3068 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 85 PID 4140 wrote to memory of 3068 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 85 PID 4140 wrote to memory of 3068 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 85 PID 4140 wrote to memory of 3372 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 86 PID 4140 wrote to memory of 3372 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 86 PID 4140 wrote to memory of 3372 4140 e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe 86 PID 3068 wrote to memory of 212 3068 coiome.exe 89 PID 3068 wrote to memory of 212 3068 coiome.exe 89 PID 3068 wrote to memory of 212 3068 coiome.exe 89 PID 212 wrote to memory of 368 212 cmd.exe 91 PID 212 wrote to memory of 368 212 cmd.exe 91 PID 212 wrote to memory of 368 212 cmd.exe 91 PID 3068 wrote to memory of 3904 3068 coiome.exe 92 PID 3068 wrote to memory of 3904 3068 coiome.exe 92 PID 3068 wrote to memory of 3904 3068 coiome.exe 92 PID 3904 wrote to memory of 3940 3904 cmd.exe 94 PID 3904 wrote to memory of 3940 3904 cmd.exe 94 PID 3904 wrote to memory of 3940 3904 cmd.exe 94 PID 3068 wrote to memory of 2360 3068 coiome.exe 95 PID 3068 wrote to memory of 2360 3068 coiome.exe 95 PID 3068 wrote to memory of 2360 3068 coiome.exe 95 PID 2360 wrote to memory of 1292 2360 cmd.exe 97 PID 2360 wrote to memory of 1292 2360 cmd.exe 97 PID 2360 wrote to memory of 1292 2360 cmd.exe 97 PID 3068 wrote to memory of 4328 3068 coiome.exe 98 PID 3068 wrote to memory of 4328 3068 coiome.exe 98 PID 3068 wrote to memory of 4328 3068 coiome.exe 98 PID 3068 wrote to memory of 4644 3068 coiome.exe 100 PID 3068 wrote to memory of 4644 3068 coiome.exe 100 PID 3068 wrote to memory of 4644 3068 coiome.exe 100 PID 3068 wrote to memory of 1784 3068 coiome.exe 102 PID 3068 wrote to memory of 1784 3068 coiome.exe 102 PID 3068 wrote to memory of 1784 3068 coiome.exe 102 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1292 attrib.exe 3940 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\IHC.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3236
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im coiome.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im coiome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
-
C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c sc delete JavaServe3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\sc.exesc delete JavaServe4⤵
- Launches sc.exe
PID:368
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"3⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"4⤵
- Views/modifies file attributes
PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"3⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"4⤵
- Views/modifies file attributes
PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Cookies\*.*3⤵PID:4328
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"3⤵PID:4644
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"3⤵PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\e75f01f4d0babc54949de065c864d3997326506849bd0adad0491a23d6b6a8e5.exe"2⤵PID:3372
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.0MB
MD557b4b4477a8bb47d1ef6c603d8daa370
SHA16a100d6f3267f8f9b9eb678909a30885511b8220
SHA2562bf4cb55cad42919aa665fc60620248058309c55ef06acf6603e6ed81411041c
SHA512f1c8b17435222ddb14686c325395a361a1ea989edd44f76b8eafc5c9304f01ca2930d9b5bff859a66eea195d600eea2e58f8f1e2756e16365abe5e163cccc95c
-
Filesize
8.0MB
MD557b4b4477a8bb47d1ef6c603d8daa370
SHA16a100d6f3267f8f9b9eb678909a30885511b8220
SHA2562bf4cb55cad42919aa665fc60620248058309c55ef06acf6603e6ed81411041c
SHA512f1c8b17435222ddb14686c325395a361a1ea989edd44f76b8eafc5c9304f01ca2930d9b5bff859a66eea195d600eea2e58f8f1e2756e16365abe5e163cccc95c
-
Filesize
780B
MD5cfae0efb683986503bb789616bad8b55
SHA19325f503e9c4d97a7d06d81859f73d245a974753
SHA2568f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8
SHA512e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c