Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
273s -
max time network
367s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe
Resource
win10v2004-20221111-en
General
-
Target
e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe
-
Size
54KB
-
MD5
2a3fb18c680d1db507969f93ad76b726
-
SHA1
9a60bb7131f93e94274ffbfb722f4b53b906d6b1
-
SHA256
e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803
-
SHA512
d59c90e640e45e326096581b935a018f2f007607ac1c27471c723c39cbf7c314e11442c7cba34bf3635dcb6c8a8d8d6a76e5b5a68c5670e5104b1960f38bf344
-
SSDEEP
768:6rpGUKbGPJfS/A+0jmlZ8veI+2qYg7ZffFLCNnbcuyD7U7R:6Hq/ADjmlZ8GITMdL2nouy87R
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4588 coiome.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe" mshta.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mshta.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe File created C:\Program Files (x86)\VUV.hta e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe File created C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe File opened for modification C:\Program Files (x86)\Common Files\sfbsbvx coiome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 4552 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com" mshta.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com" mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe Token: SeDebugPrivilege 4588 coiome.exe Token: SeDebugPrivilege 4552 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3244 wrote to memory of 4832 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 81 PID 3244 wrote to memory of 4832 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 81 PID 3244 wrote to memory of 4832 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 81 PID 3244 wrote to memory of 5112 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 82 PID 3244 wrote to memory of 5112 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 82 PID 3244 wrote to memory of 5112 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 82 PID 5112 wrote to memory of 4552 5112 cmd.exe 84 PID 5112 wrote to memory of 4552 5112 cmd.exe 84 PID 5112 wrote to memory of 4552 5112 cmd.exe 84 PID 3244 wrote to memory of 4588 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 85 PID 3244 wrote to memory of 4588 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 85 PID 3244 wrote to memory of 4588 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 85 PID 3244 wrote to memory of 1352 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 88 PID 3244 wrote to memory of 1352 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 88 PID 3244 wrote to memory of 1352 3244 e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe"C:\Users\Admin\AppData\Local\Temp\e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\VUV.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4832
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im coiome.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im coiome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\e681a43247029144495d250e65a4fdc9fd037d6730db0d3af0ac3f19efc46803.exe"2⤵PID:1352
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.1MB
MD5b33666d4d5854a01a5363c4ce51a4b4a
SHA19b7ea5dd27d76fe4dc054c135f6d2a5a0387f060
SHA256892e2036c3ed72269cc43044f75c2597fd278e9ae3985220f4921e0dbd6355f7
SHA512a9c96b7d87fbd885c0b70845e94fb1f95b52dd00bd6afda317d3308a900038017d14008de96c47423d016c69ef20c30e0cd577d6fc670030c6d1af321699ebc5
-
Filesize
12.1MB
MD5b33666d4d5854a01a5363c4ce51a4b4a
SHA19b7ea5dd27d76fe4dc054c135f6d2a5a0387f060
SHA256892e2036c3ed72269cc43044f75c2597fd278e9ae3985220f4921e0dbd6355f7
SHA512a9c96b7d87fbd885c0b70845e94fb1f95b52dd00bd6afda317d3308a900038017d14008de96c47423d016c69ef20c30e0cd577d6fc670030c6d1af321699ebc5
-
Filesize
780B
MD5cfae0efb683986503bb789616bad8b55
SHA19325f503e9c4d97a7d06d81859f73d245a974753
SHA2568f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8
SHA512e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c