55e14b777f92fa1171264d5bd37b6901fe39b8f1ea21cd0564b2cdc2615a04f1

General

Target

1ed4eeb70731aef3ad7894eae2a31596.exe
Size

63KB
MD5

1ed4eeb70731aef3ad7894eae2a31596
SHA1

6b3140c20ef910b73e04ac8c2f46c3fc8d3110c6
SHA256

55e14b777f92fa1171264d5bd37b6901fe39b8f1ea21cd0564b2cdc2615a04f1
SHA512

deb22e9ce11f93e075cf60f649f2d75ed04c72ad9bf3fa203c439299111f85cb249f110cf9888cdcaaecb80af89acc9ae033cb762bcd92ee343eba9713e2fd77
SSDEEP

768:xrpeUKbGP2fSz1A+pCmbZ8veI5Ig2aG+YaOvJ04m+jtRnbcuyD7UsM:xMqz1AGCmbZ8GI5CeOR04mMtRnouy8sM

Score

8^/10

evasion persistence

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sebsbvx\\coiome.exe"	mshta.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sebsbvx	1ed4eeb70731aef3ad7894eae2a31596.exe
File created	C:\Program Files (x86)\CFG.hta	1ed4eeb70731aef3ad7894eae2a31596.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2608	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	1ed4eeb70731aef3ad7894eae2a31596.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3068	2224	1ed4eeb70731aef3ad7894eae2a31596.exe	14
PID 2224 wrote to memory of 3068	2224	1ed4eeb70731aef3ad7894eae2a31596.exe	14
PID 2224 wrote to memory of 3068	2224	1ed4eeb70731aef3ad7894eae2a31596.exe	14
PID 2224 wrote to memory of 3068	2224	1ed4eeb70731aef3ad7894eae2a31596.exe	14

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
948	attrib.exe
1324	attrib.exe

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\CFG.hta"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3068

C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - Kills process with taskkill
    PID:2608
- C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe"
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Cookies\*.*
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe"
  2⤵
  PID:956

C:\Windows\SysWOW64\attrib.exe
attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
1⤵
- Views/modifies file attributes
PID:948

C:\Windows\SysWOW64\attrib.exe
attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
1⤵
- Views/modifies file attributes
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe

Filesize
95KB

MD5
37c6ddc9cf7affd3dafcdbb12429cf2e

SHA1
8d9bfc800861a1ae6d8c07525fc49132b1d2a459

SHA256
5ea2907c9d053c2566e8fcea9db1040309ddfa5ab1307e9f406eab1a06f5f4f4

SHA512
b59a3c62b90392d18030e7251b73be51fb10e739e3cb885c70254d7ee534e4cd42d149f086d0df56162f0920ff0a17820a39c13dde1b76e7b2abc960ec11f30b

Download Submit
\Program Files (x86)\Common Files\sebsbvx\coiome.exe

Filesize
206KB

MD5
b2c6a44befccc1f17b7f7c8ff62c206e

SHA1
6feb43a2af9eda40c5003e10392af8291a02989b

SHA256
80b1805073f6cfc20acff6ba621d2a09abad7b7ac9edabd86e09444d877102ee

SHA512
a8b72e909fdeea325dbcc8d7df644584c845371655aec7dae3d34ba85ae9e301440f694c6bd8fc833e8e4abc60dc11fc4125f86cb0eb0f006f7dfcd02538f407

Download Submit
\Program Files (x86)\Common Files\sebsbvx\coiome.exe

Filesize
92KB

MD5
8733b5acaa1f160ed5bc9b26513840a0

SHA1
b5377e7aeafef3ee20bc360d49a75f067a18e15b

SHA256
5751a64405f593f38a6ba398a2c4c724413adff63d9d0f5d66b482db18e6658f

SHA512
43163a19eebabec77ccd2a5f18f1aaf23db1162168ee974afad2fbdbf9caeba67882c6eb2a92175f189e4e15cd825dc04174a267f166e63739a7b33c31261954

Download Submit
memory/2060-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2060-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-13-0x0000000000530000-0x0000000000541000-memory.dmp

Filesize
68KB

Download
memory/2224-7-0x0000000000530000-0x0000000000541000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads