ff006bbebe733e0a28b5d7398a9c1be5886fef0dcde1bb34421122dea5abb5cf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3d6f82efc28843b3fccaf4bd61eb8e.exe
Size

248KB
MD5

ac3d6f82efc28843b3fccaf4bd61eb8e
SHA1

c2c0bb88bc2a6cda7718861423dfae5213e37c94
SHA256

ff006bbebe733e0a28b5d7398a9c1be5886fef0dcde1bb34421122dea5abb5cf
SHA512

65e15f2e8553497b08c3efb83b28f1e38fe3b568e660cd205e09bb29e2f85edda1a9557dd89743ad8de2e0d25b33eac77cb3641d697791b12bc1731d994fc5f7
SSDEEP

6144:VYQ/4u8ccm6HgId+7UDiKk7Wr5fxcq5dQeBACpmUjrgUBDlc7WsUzem2K2wJrNfa:/Qu8cc3HgI87IiKk7Wr5Jc6gUcWsUiln

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	coatia.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ac3d6f82efc28843b3fccaf4bd61eb8e.exe

Executes dropped EXE 1 IoCs

pid	Process
756	coatia.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /l"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /q"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /G"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /y"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /X"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /b"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /C"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /k"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /P"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /Y"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /F"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /T"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /B"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /W"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /e"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /R"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /d"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /M"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /h"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /V"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /o"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /S"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /g"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /m"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /u"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /x"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /K"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /L"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /p"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /E"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /w"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /z"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /f"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /I"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /D"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /U"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /t"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /a"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /r"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /c"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /i"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /H"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /n"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /Q"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /O"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /J"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /N"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /s"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /v"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /A"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /j"	coatia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coatia = "C:\\Users\\Admin\\coatia.exe /Z"	coatia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe
756	coatia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4900	ac3d6f82efc28843b3fccaf4bd61eb8e.exe
756	coatia.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 756	4900	ac3d6f82efc28843b3fccaf4bd61eb8e.exe	94
PID 4900 wrote to memory of 756	4900	ac3d6f82efc28843b3fccaf4bd61eb8e.exe	94
PID 4900 wrote to memory of 756	4900	ac3d6f82efc28843b3fccaf4bd61eb8e.exe	94

C:\Users\Admin\AppData\Local\Temp\ac3d6f82efc28843b3fccaf4bd61eb8e.exe
"C:\Users\Admin\AppData\Local\Temp\ac3d6f82efc28843b3fccaf4bd61eb8e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\coatia.exe
  "C:\Users\Admin\coatia.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\coatia.exe

Filesize
248KB

MD5
69efeb7a6d32e4fd7ab713f68dbd28e2

SHA1
4aba9c92dfae433f9a022f3d1ace1139fc8e0d27

SHA256
5d912121ab46003cf104c9dfe2dcb02d8ec0df8db2ae2bd0fd455b26d71e88cf

SHA512
286d88a2969df76f29241a16edfc38e6a9a6083d16af6fcc00333a8aa93177f865bdcb2f0b3b722f52ada8fd60656fd8e64bdade411ecb64acfa723eef187b53

Download Submit