4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
Size

4.0MB
MD5

e3909e59695938f07d3e20576bbff2ae
SHA1

40d89d2f9643af919efa9c8218d43c368d60a514
SHA256

4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903
SHA512

d62759546d7950b43afa0dcb539ccdebaa6abfd97d7e1db893cd56dfb1a820155fe1bd9bbbd342fea3b2b6a11bfa0eb320b5c9df98ffb09bb9685f4801a8060e
SSDEEP

98304:/9eaUjNM4oAVF8A1k9nPArfcdO2ingPKSUNSeu:/9nHGCGsGfcsFngPnUs

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	coiome.exe

Executes dropped EXE 1 IoCs

pid	Process
1164	coiome.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1688-132-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000400000001e635-138.dat	upx
behavioral2/files/0x000400000001e635-139.dat	upx
behavioral2/memory/1164-140-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1164-141-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sgcscvy\\coiome.exe"	mshta.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
File created	C:\Program Files (x86)\OTE.hta	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
File created	C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy	coiome.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2420	sc.exe
4356	sc.exe
2904	sc.exe
5000	sc.exe
4140	sc.exe
4048	sc.exe
2804	sc.exe
1192	sc.exe
3260	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
4520	taskkill.exe
1280	taskkill.exe
1616	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	coiome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"	coiome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	coiome.exe
1164	coiome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	1164	coiome.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4188	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	81
PID 1688 wrote to memory of 4188	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	81
PID 1688 wrote to memory of 4188	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	81
PID 1688 wrote to memory of 1592	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	83
PID 1688 wrote to memory of 1592	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	83
PID 1688 wrote to memory of 1592	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	83
PID 1592 wrote to memory of 1280	1592	cmd.exe	85
PID 1592 wrote to memory of 1280	1592	cmd.exe	85
PID 1592 wrote to memory of 1280	1592	cmd.exe	85
PID 1688 wrote to memory of 1164	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	86
PID 1688 wrote to memory of 1164	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	86
PID 1688 wrote to memory of 1164	1688	4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe	86
PID 1164 wrote to memory of 5012	1164	coiome.exe	94
PID 1164 wrote to memory of 5012	1164	coiome.exe	94
PID 1164 wrote to memory of 5012	1164	coiome.exe	94
PID 1164 wrote to memory of 2468	1164	coiome.exe	95
PID 1164 wrote to memory of 2468	1164	coiome.exe	95
PID 1164 wrote to memory of 2468	1164	coiome.exe	95
PID 2468 wrote to memory of 1616	2468	cmd.exe	98
PID 2468 wrote to memory of 1616	2468	cmd.exe	98
PID 2468 wrote to memory of 1616	2468	cmd.exe	98
PID 5012 wrote to memory of 3260	5012	cmd.exe	99
PID 5012 wrote to memory of 3260	5012	cmd.exe	99
PID 5012 wrote to memory of 3260	5012	cmd.exe	99
PID 1164 wrote to memory of 2228	1164	coiome.exe	100
PID 1164 wrote to memory of 2228	1164	coiome.exe	100
PID 1164 wrote to memory of 2228	1164	coiome.exe	100
PID 2228 wrote to memory of 4520	2228	cmd.exe	102
PID 2228 wrote to memory of 4520	2228	cmd.exe	102
PID 2228 wrote to memory of 4520	2228	cmd.exe	102
PID 1164 wrote to memory of 2768	1164	coiome.exe	103
PID 1164 wrote to memory of 2768	1164	coiome.exe	103
PID 1164 wrote to memory of 2768	1164	coiome.exe	103
PID 2768 wrote to memory of 4140	2768	cmd.exe	105
PID 2768 wrote to memory of 4140	2768	cmd.exe	105
PID 2768 wrote to memory of 4140	2768	cmd.exe	105
PID 1164 wrote to memory of 420	1164	coiome.exe	106
PID 1164 wrote to memory of 420	1164	coiome.exe	106
PID 1164 wrote to memory of 420	1164	coiome.exe	106
PID 420 wrote to memory of 4048	420	cmd.exe	108
PID 420 wrote to memory of 4048	420	cmd.exe	108
PID 420 wrote to memory of 4048	420	cmd.exe	108
PID 1164 wrote to memory of 4548	1164	coiome.exe	109
PID 1164 wrote to memory of 4548	1164	coiome.exe	109
PID 1164 wrote to memory of 4548	1164	coiome.exe	109
PID 4548 wrote to memory of 2804	4548	cmd.exe	111
PID 4548 wrote to memory of 2804	4548	cmd.exe	111
PID 4548 wrote to memory of 2804	4548	cmd.exe	111
PID 1164 wrote to memory of 4432	1164	coiome.exe	112
PID 1164 wrote to memory of 4432	1164	coiome.exe	112
PID 1164 wrote to memory of 4432	1164	coiome.exe	112
PID 4432 wrote to memory of 2420	4432	cmd.exe	114
PID 4432 wrote to memory of 2420	4432	cmd.exe	114
PID 4432 wrote to memory of 2420	4432	cmd.exe	114
PID 1164 wrote to memory of 780	1164	coiome.exe	115
PID 1164 wrote to memory of 780	1164	coiome.exe	115
PID 1164 wrote to memory of 780	1164	coiome.exe	115
PID 780 wrote to memory of 4356	780	cmd.exe	117
PID 780 wrote to memory of 4356	780	cmd.exe	117
PID 780 wrote to memory of 4356	780	cmd.exe	117
PID 1164 wrote to memory of 3532	1164	coiome.exe	118
PID 1164 wrote to memory of 3532	1164	coiome.exe	118
PID 1164 wrote to memory of 3532	1164	coiome.exe	118
PID 3532 wrote to memory of 2904	3532	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe
"C:\Users\Admin\AppData\Local\Temp\4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\OTE.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe
  "C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im iejore.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im iejore.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im conime.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im conime.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop LYTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\sc.exe
      sc stop LYTC
      4⤵
      Launches sc.exe
      PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop Messenger
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Messenger
      4⤵
      Launches sc.exe
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete Messenger
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Messenger
      4⤵
      Launches sc.exe
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete LYTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LYTC
      4⤵
      Launches sc.exe
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop IE_WinserverName
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\sc.exe
      sc stop IE_WinserverName
      4⤵
      Launches sc.exe
      PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete IE_WinserverName
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IE_WinserverName
      4⤵
      Launches sc.exe
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop HidServ
    3⤵
    PID:1912
  - - C:\Windows\SysWOW64\sc.exe
      sc stop HidServ
      4⤵
      Launches sc.exe
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete HidServ
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\sc.exe
      sc delete HidServ
      4⤵
      Launches sc.exe
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
    3⤵
    PID:2412
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
      4⤵
      PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\4379fa3f3fce655a845e8f9b9eea228fb02bbdf187b20ace0f35fdd7bee25903.exe"
  2⤵
  PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe

Filesize
8.0MB

MD5
9b674ee79aabd5de9601ee0f5e0508d7

SHA1
a444bfa87de7260f679580d318d18faed92fe262

SHA256
58daeb69a6e7393090357f210b4a320058c9b6e8d025d0fc5eba9f91659004d4

SHA512
ae0f547c0aef9bd23d330748cce8c526fa656e307bd386a2eca9b0fce2c748d3b9b5c03cc8f8051c5faf3b00ec3cdbb6a480405fb886580cdfe6b2744bf1e791

Download Submit
C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe

Filesize
8.0MB

MD5
9b674ee79aabd5de9601ee0f5e0508d7

SHA1
a444bfa87de7260f679580d318d18faed92fe262

SHA256
58daeb69a6e7393090357f210b4a320058c9b6e8d025d0fc5eba9f91659004d4

SHA512
ae0f547c0aef9bd23d330748cce8c526fa656e307bd386a2eca9b0fce2c748d3b9b5c03cc8f8051c5faf3b00ec3cdbb6a480405fb886580cdfe6b2744bf1e791

Download Submit
C:\Program Files (x86)\OTE.hta

Filesize
780B

MD5
439e3753d54e5bb10bbacae5d707d2bc

SHA1
4a66f505f560db1c896fd1b65309ddc1befdd27f

SHA256
db72cdc20e0fd6377d92873dcdf739968780ef4f1fa4e2401f18ef84829fd9b2

SHA512
5697558df2ce7151dccd7393ca66aac544ba767fa6875cfed8629b38d3efa56aef4073395d48e6bb38eedcdd42ff5bdae4f7974f709e26b6f4d55131390f89f7

Download Submit
memory/1164-141-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1164-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1688-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download