Overview

overview

10

Static

static

3

8a60340a7d...0f.exe

windows7-x64

10

8a60340a7d...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2024, 19:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8a60340a7d24beb393be1913e1bd600f.exe

  • Size

    19KB

  • MD5

    8a60340a7d24beb393be1913e1bd600f

  • SHA1

    d022586b6d68aff88bb237ef43adee797612533f

  • SHA256

    19d7fb7a159ccc30098cd05dbfb377a408310ddf9b3428212a874fa4d80d10b0

  • SHA512

    ed8da599667db8afe10193f95d1c1196c45bfdd0b692d8775ac9dd31f9e027785a45880b21a73c7554664f2cfe94d81169185b40522a370c1b87bb8a4740874b

  • SSDEEP

    384:AmvZ/WZ7OLon28o0SWqXRtrwuV3uIOF+oHFM5HU7CzwaNJawcudoD7UIw:Ag/WZ7O6No0lq78uV3xOF+olMxUUZnb2

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a60340a7d24beb393be1913e1bd600f.exe
    "C:\Users\Admin\AppData\Local\Temp\8a60340a7d24beb393be1913e1bd600f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\ZIJ.hta"
      2⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im coiome.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im coiome.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
    • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
      "C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete JavaServe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\sc.exe
          sc delete JavaServe
          4⤵
          • Launches sc.exe
          PID:300
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im iejore.exe /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im iejore.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im conime.exe /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im conime.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop LYTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\SysWOW64\sc.exe
          sc stop LYTC
          4⤵
          • Launches sc.exe
          PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop Messenger
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\sc.exe
          sc stop Messenger
          4⤵
          • Launches sc.exe
          PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete Messenger
        3⤵
          PID:1232
          • C:\Windows\SysWOW64\sc.exe
            sc delete Messenger
            4⤵
            • Launches sc.exe
            PID:1364
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc delete LYTC
          3⤵
            PID:1128
            • C:\Windows\SysWOW64\sc.exe
              sc delete LYTC
              4⤵
              • Launches sc.exe
              PID:2016
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c sc stop IE_WinserverName
            3⤵
              PID:1996
              • C:\Windows\SysWOW64\sc.exe
                sc stop IE_WinserverName
                4⤵
                • Launches sc.exe
                PID:1884
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c sc delete IE_WinserverName
              3⤵
                PID:2936
                • C:\Windows\SysWOW64\sc.exe
                  sc delete IE_WinserverName
                  4⤵
                  • Launches sc.exe
                  PID:2072
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c sc stop HidServ
                3⤵
                  PID:3028
                  • C:\Windows\SysWOW64\sc.exe
                    sc stop HidServ
                    4⤵
                    • Launches sc.exe
                    PID:1720
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c sc delete HidServ
                  3⤵
                    PID:2240
                    • C:\Windows\SysWOW64\sc.exe
                      sc delete HidServ
                      4⤵
                      • Launches sc.exe
                      PID:592
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
                    3⤵
                      PID:480
                      • C:\Windows\SysWOW64\cacls.exe
                        cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
                        4⤵
                          PID:1492
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
                        3⤵
                          PID:656
                          • C:\Windows\SysWOW64\cacls.exe
                            cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
                            4⤵
                              PID:2384
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c del "C:\Users\Admin\AppData\Local\Temp\8a60340a7d24beb393be1913e1bd600f.exe"
                          2⤵
                          • Deletes itself
                          PID:2196

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
                              Filesize

                              461KB

                              MD5

                              6a670c514ed3b69304be544848ee25bc

                              SHA1

                              89267ffba0c967469bdb0fd9e17c8ce3f6c82c6d

                              SHA256

                              1528f33e9072784baa5b3793cfb1e435511179003dffe6d6edd0875bb87ed303

                              SHA512

                              75614eb9575e78846574bc4d08a3783ee39bfc4f9dcb4475b416f2428286aa63c5c2cd9dca484e4df9a4efa62a1f17922262ff056e81398448c2d5b26941f9b3

                              Download Submit

                            • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
                              Filesize

                              588KB

                              MD5

                              2632a04f22cd8b0e56363209256f92a1

                              SHA1

                              82ef67b1d10bb4f150f683fb6dfd11bc297659b5

                              SHA256

                              6e00c0aaab281901a37c8143b8842a37e83b62d39f5d3a55d4e6121a374b2cee

                              SHA512

                              fb0aed49a8eb362c3afa2e8094b6d19e1bf1f1474a12642de9edfcc76964d284e7518f4fa07029ebd1b1b8ad7b501c7fbe3150b5007ada0a8235c7f0ea2af6d2

                              Download Submit

                            • C:\Program Files (x86)\ZIJ.hta
                              Filesize

                              785B

                              MD5

                              74ccbce1e5800180a01fb299767e310c

                              SHA1

                              5eee44303a3800e0ac31a103538dccfe4ffa57b2

                              SHA256

                              7c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec

                              SHA512

                              581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8

                              Download Submit

                            • \Program Files (x86)\Common Files\sfbsbvy\coiome.exe
                              Filesize

                              513KB

                              MD5

                              91dde221ea893d6d733b4a94b765b1aa

                              SHA1

                              098f0135c26a2667188662069400bd47d21dd74e

                              SHA256

                              1633f7e1b58dca8d08dd2f3432ccdc92dd356e5c99e50ec4044762e85bbeed94

                              SHA512

                              7d1e90f41d2584a20370e46557317152bf28e0edfb983a16418786ed978d89ba035dbdd5c3dfcaa643f8e999b65f6f6342769f1af3eba7b4a51f92348444395f

                              Download Submit

                            • \Program Files (x86)\Common Files\sfbsbvy\coiome.exe
                              Filesize

                              614KB

                              MD5

                              ea9a76a3a549f28a3117aafccedbeac5

                              SHA1

                              811b65c11941b22a7fe1cc8835f426a11ca2c2e3

                              SHA256

                              9be360097b6c695331615a781ae417850999252a14ee655fc51c71a256c4531b

                              SHA512

                              562d7fd5756da2e20df3d73a269e75f0beb10ada4bab3c0af3c9da42f1dfc45c9a1fd857a006b81942ee66e268a12a3b60186740f0d1fcc7b6436d5b78a1c3a5

                              Download Submit

                            • memory/1704-15-0x00000000001C0000-0x00000000001D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1704-14-0x00000000001C0000-0x00000000001D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1704-6-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1704-0-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2704-16-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2704-18-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2704-20-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2704-21-0x0000000000400000-0x0000000000410000-memory.dmp

                              Filesize

                              64KB

                              Download