7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9

Analysis

max time kernel
248s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
Size

104KB
MD5

52589a646bbfb9983bc15e3fa62fef92
SHA1

1f1249117a3de74722e0e1fd10cce4e674a03a74
SHA256

7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9
SHA512

81ec1fece594d30bd5f33d23dcff3b0eed137604bfa87cefc5cbf46c74f6a3091586ee7dfb1052d9d2a9b79b11b336246c765bf6436f590ab7e2a137fa154ac3
SSDEEP

1536:T553fEQE9ZScK43sKeWjwJBAOs9G2HaQNsMj3i6E3j:F53fEQqkIsK0IHxN/Oj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cofuc.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	cofuc.exe

Loads dropped DLL 2 IoCs

pid	Process
596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /g"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /k"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /t"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /o"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /c"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /q"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /s"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /j"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /n"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /h"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /p"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /w"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /x"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /d"	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /a"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /b"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /l"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /z"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /r"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /e"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /u"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /v"	cofuc.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /y"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /i"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /d"	cofuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cofuc = "C:\\Users\\Admin\\cofuc.exe /m"	cofuc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe
1984	cofuc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
1984	cofuc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 1984	596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe	28
PID 596 wrote to memory of 1984	596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe	28
PID 596 wrote to memory of 1984	596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe	28
PID 596 wrote to memory of 1984	596	7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe	28

C:\Users\Admin\AppData\Local\Temp\7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe
"C:\Users\Admin\AppData\Local\Temp\7586b5f402f8553c8eddb8524c423c3d6c3561c9e97a8c34d0b696d5beb0dfe9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\cofuc.exe
  "C:\Users\Admin\cofuc.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cofuc.exe

Filesize
104KB

MD5
9c39b9825b773c3a57dcdbd4064adc9e

SHA1
f158d936c8b4c5968d78d97d86947334079f87d2

SHA256
7ae9438fc3f86bef0e2a484e9c4dabc12a5a646d2a8fd092f4642b64fb032ad9

SHA512
d6a0e365138cd8a13d651737c819a6166169a878f18e8fc4ca036df00c4b07639b68b09c68e2943144fc25f2ee6a76a5b5ec6394195866153b2119924dfec70c

Download Submit
C:\Users\Admin\cofuc.exe

Filesize
104KB

MD5
9c39b9825b773c3a57dcdbd4064adc9e

SHA1
f158d936c8b4c5968d78d97d86947334079f87d2

SHA256
7ae9438fc3f86bef0e2a484e9c4dabc12a5a646d2a8fd092f4642b64fb032ad9

SHA512
d6a0e365138cd8a13d651737c819a6166169a878f18e8fc4ca036df00c4b07639b68b09c68e2943144fc25f2ee6a76a5b5ec6394195866153b2119924dfec70c

Download Submit
\Users\Admin\cofuc.exe

Filesize
104KB

MD5
9c39b9825b773c3a57dcdbd4064adc9e

SHA1
f158d936c8b4c5968d78d97d86947334079f87d2

SHA256
7ae9438fc3f86bef0e2a484e9c4dabc12a5a646d2a8fd092f4642b64fb032ad9

SHA512
d6a0e365138cd8a13d651737c819a6166169a878f18e8fc4ca036df00c4b07639b68b09c68e2943144fc25f2ee6a76a5b5ec6394195866153b2119924dfec70c

Download Submit
\Users\Admin\cofuc.exe

Filesize
104KB

MD5
9c39b9825b773c3a57dcdbd4064adc9e

SHA1
f158d936c8b4c5968d78d97d86947334079f87d2

SHA256
7ae9438fc3f86bef0e2a484e9c4dabc12a5a646d2a8fd092f4642b64fb032ad9

SHA512
d6a0e365138cd8a13d651737c819a6166169a878f18e8fc4ca036df00c4b07639b68b09c68e2943144fc25f2ee6a76a5b5ec6394195866153b2119924dfec70c

Download Submit
memory/596-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1984-59-0x0000000000000000-mapping.dmp

Download