55e14b777f92fa1171264d5bd37b6901fe39b8f1ea21cd0564b2cdc2615a04f1

General

Target

1ed4eeb70731aef3ad7894eae2a31596.exe
Size

63KB
MD5

1ed4eeb70731aef3ad7894eae2a31596
SHA1

6b3140c20ef910b73e04ac8c2f46c3fc8d3110c6
SHA256

55e14b777f92fa1171264d5bd37b6901fe39b8f1ea21cd0564b2cdc2615a04f1
SHA512

deb22e9ce11f93e075cf60f649f2d75ed04c72ad9bf3fa203c439299111f85cb249f110cf9888cdcaaecb80af89acc9ae033cb762bcd92ee343eba9713e2fd77
SSDEEP

768:xrpeUKbGP2fSz1A+pCmbZ8veI5Ig2aG+YaOvJ04m+jtRnbcuyD7UsM:xMqz1AGCmbZ8GI5CeOR04mMtRnouy8sM

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	1ed4eeb70731aef3ad7894eae2a31596.exe

Executes dropped EXE 1 IoCs

pid	Process
4956	coiome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sebsbvx\\coiome.exe"	mshta.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe	1ed4eeb70731aef3ad7894eae2a31596.exe
File opened for modification	C:\Program Files (x86)\Common Files\sebsbvx	coiome.exe
File opened for modification	C:\Program Files (x86)\Common Files\sebsbvx	1ed4eeb70731aef3ad7894eae2a31596.exe
File created	C:\Program Files (x86)\JKH.hta	1ed4eeb70731aef3ad7894eae2a31596.exe
File created	C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe	1ed4eeb70731aef3ad7894eae2a31596.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1072	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	1ed4eeb70731aef3ad7894eae2a31596.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	1ed4eeb70731aef3ad7894eae2a31596.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	4956	coiome.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3912	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	92
PID 3324 wrote to memory of 3912	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	92
PID 3324 wrote to memory of 3912	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	92
PID 3324 wrote to memory of 1260	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	94
PID 3324 wrote to memory of 1260	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	94
PID 3324 wrote to memory of 1260	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	94
PID 1260 wrote to memory of 1072	1260	cmd.exe	96
PID 1260 wrote to memory of 1072	1260	cmd.exe	96
PID 1260 wrote to memory of 1072	1260	cmd.exe	96
PID 3324 wrote to memory of 4956	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	97
PID 3324 wrote to memory of 4956	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	97
PID 3324 wrote to memory of 4956	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	97
PID 3324 wrote to memory of 404	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	100
PID 3324 wrote to memory of 404	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	100
PID 3324 wrote to memory of 404	3324	1ed4eeb70731aef3ad7894eae2a31596.exe	100

C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\JKH.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\1ed4eeb70731aef3ad7894eae2a31596.exe"
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe

Filesize
1.8MB

MD5
af8410c0637db0337feaaabfd5cdd389

SHA1
1949f1d875de767911f533d774d91ead25e54725

SHA256
ea2e1bfb845aea7d98b63e86c8d8b43310c58161031967b8704e1d7308504ef8

SHA512
cd6ebfd222fb004ef9e114c343093af63ed12c333b2cb6f2004ab361b6b2ea08f5ea7ab52a90934cea2b08fb7fea7d38fd54265340e9880bc6c26356d031a763

Download Submit
C:\Program Files (x86)\Common Files\sebsbvx\coiome.exe

Filesize
1.4MB

MD5
2813581207e42c99e20aa61325686f16

SHA1
a617c5fcf48b96df3ebf5480b018c10af5b239c5

SHA256
7f848c3eed60da1b5585cba895d07dfbeef88d02a0e2990ba6707815bac405d3

SHA512
b3731dbc0b1a3e690210564feab8ab57c117e9b3e62d3d432e16f04c59cf217ac029a175f23831373b4f57a5811edc5132a24b779c9eddc9ad04a6f9acc1a465

Download Submit
C:\Program Files (x86)\JKH.hta

Filesize
780B

MD5
123760c0b2b15cca0448e52b2b7f9f48

SHA1
e0d1004b3878b6c420b1c01f4953089c92921b20

SHA256
4244569e7c8cd1d29b0e6a467b73b397c75cdbf607de60e101da0963a363a615

SHA512
9aeb90f1cbf901da10bf75cc64177c1ecbd23fdfc9884caee442409bf34ebd6605c3dc6269b68490b7151554cb580a5e64c33a4ecdf42a5b146741fef022b9d1

Download Submit
memory/3324-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3324-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4956-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads