8e28b15109561741e95d923224c7f2c81c2ee2776a2cc07001bd978cd31f88b4

Analysis

max time kernel
19s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cocaina_Project_2.0_.rar
Size

393KB
MD5

b8e7e4cf5d20313e396a3a0bd202b849
SHA1

c411b18cbb19f0cff5cbb5275a0c3642ff871bbb
SHA256

8e28b15109561741e95d923224c7f2c81c2ee2776a2cc07001bd978cd31f88b4
SHA512

55c2491ba329aad2d83b16e9852e46a5581303db997e81d6e0de0f27f0cc734a44a8a4ad977a7aed62965dfdab438a74f89fd1b228d5c8b5f9dc437844481ec2
SSDEEP

12288:AjUa9EJ4+GdW/rJcNRu3fjAny9EwtlzP2LYrE:AjSJ4bdsJcG3fs/Il6LuE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	Cocaina_Project.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	7zFM.exe
4948	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4948	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4948	7zFM.exe
Token: 35	4948	7zFM.exe
Token: SeSecurityPrivilege	4948	7zFM.exe
Token: SeSecurityPrivilege	4948	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4948	7zFM.exe
4948	7zFM.exe
4948	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4948	3628	cmd.exe	88
PID 3628 wrote to memory of 4948	3628	cmd.exe	88
PID 4948 wrote to memory of 3040	4948	7zFM.exe	94
PID 4948 wrote to memory of 3040	4948	7zFM.exe	94

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cocaina_Project_2.0_.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cocaina_Project_2.0_.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\7zO453DDB77\Cocaina_Project.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO453DDB77\Cocaina_Project.exe"
    3⤵
    - Executes dropped EXE
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO453DDB77\Cocaina_Project.exe

Filesize
1.2MB

MD5
ce0bfd31f9ddc913ec88519dc25ee982

SHA1
6065c86b38e922cebaa64e8e3a005c3e275e8fb0

SHA256
232cb6a940032eedcc875992be910a95016bea65ae698dbad7529b44d9585ab5

SHA512
0bb8ce3564cf4c014f3b2f7a95e5f72c9c9a81e4b7e069470fc1633a6e902584d69e7bec2188aa4fadc540edc975a73baa162d7c7a6d774b6896ee0e49496513

Download Submit