d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cohr.exe
Size

1.9MB
MD5

f63c3b09477f0fd95a747f9491044923
SHA1

572d425610224a7f9e8874abd2b0b7d76cd22bf2
SHA256

d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
SHA512

88256ff18ba5583a06fe6bf096afc53e458b547ccc48c81d2b903b32409b4a1ff25cb28f731168212a21d734425196e4d6bb14c09548ded1c8524d34e23150a7
SSDEEP

24576:sHnaHPB9cf8XFqztAWByVFdk52o/pQ0WfMQ1jEqpFfrRV+:BH59cf8XFqztAWByVFdOF/Gn1YIdrRV+

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2704	mbr.exe
1992	PatBlt2.exe
2640	noise.exe
1756	BitBlt1.exe
2768	PatBlt3.exe
2696	ScreenShuffle.exe
1976	PatBlt2.exe
584	PatBlt3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
2676	timeout.exe
1028	timeout.exe
1396	timeout.exe
2544	timeout.exe
2364	timeout.exe
1488	timeout.exe
2620	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2756	taskkill.exe
860	taskkill.exe
2116	taskkill.exe
684	taskkill.exe
2356	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs

pid	Process
2704	mbr.exe
1992	PatBlt2.exe
2640	noise.exe
1756	BitBlt1.exe
2768	PatBlt3.exe
2696	ScreenShuffle.exe
1976	PatBlt2.exe
584	PatBlt3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1800	1244	Cohr.exe	28
PID 1244 wrote to memory of 1800	1244	Cohr.exe	28
PID 1244 wrote to memory of 1800	1244	Cohr.exe	28
PID 1244 wrote to memory of 1800	1244	Cohr.exe	28
PID 1800 wrote to memory of 2864	1800	cmd.exe	30
PID 1800 wrote to memory of 2864	1800	cmd.exe	30
PID 1800 wrote to memory of 2864	1800	cmd.exe	30
PID 1800 wrote to memory of 2704	1800	cmd.exe	31
PID 1800 wrote to memory of 2704	1800	cmd.exe	31
PID 1800 wrote to memory of 2704	1800	cmd.exe	31
PID 1800 wrote to memory of 2704	1800	cmd.exe	31
PID 1800 wrote to memory of 1992	1800	cmd.exe	32
PID 1800 wrote to memory of 1992	1800	cmd.exe	32
PID 1800 wrote to memory of 1992	1800	cmd.exe	32
PID 1800 wrote to memory of 1992	1800	cmd.exe	32
PID 1800 wrote to memory of 2620	1800	cmd.exe	33
PID 1800 wrote to memory of 2620	1800	cmd.exe	33
PID 1800 wrote to memory of 2620	1800	cmd.exe	33
PID 1800 wrote to memory of 2640	1800	cmd.exe	34
PID 1800 wrote to memory of 2640	1800	cmd.exe	34
PID 1800 wrote to memory of 2640	1800	cmd.exe	34
PID 1800 wrote to memory of 2640	1800	cmd.exe	34
PID 1800 wrote to memory of 2676	1800	cmd.exe	35
PID 1800 wrote to memory of 2676	1800	cmd.exe	35
PID 1800 wrote to memory of 2676	1800	cmd.exe	35
PID 1800 wrote to memory of 2356	1800	cmd.exe	36
PID 1800 wrote to memory of 2356	1800	cmd.exe	36
PID 1800 wrote to memory of 2356	1800	cmd.exe	36
PID 1800 wrote to memory of 1756	1800	cmd.exe	38
PID 1800 wrote to memory of 1756	1800	cmd.exe	38
PID 1800 wrote to memory of 1756	1800	cmd.exe	38
PID 1800 wrote to memory of 1756	1800	cmd.exe	38
PID 1800 wrote to memory of 1028	1800	cmd.exe	39
PID 1800 wrote to memory of 1028	1800	cmd.exe	39
PID 1800 wrote to memory of 1028	1800	cmd.exe	39
PID 1800 wrote to memory of 2756	1800	cmd.exe	42
PID 1800 wrote to memory of 2756	1800	cmd.exe	42
PID 1800 wrote to memory of 2756	1800	cmd.exe	42
PID 1800 wrote to memory of 2768	1800	cmd.exe	43
PID 1800 wrote to memory of 2768	1800	cmd.exe	43
PID 1800 wrote to memory of 2768	1800	cmd.exe	43
PID 1800 wrote to memory of 2768	1800	cmd.exe	43
PID 1800 wrote to memory of 1396	1800	cmd.exe	44
PID 1800 wrote to memory of 1396	1800	cmd.exe	44
PID 1800 wrote to memory of 1396	1800	cmd.exe	44
PID 1800 wrote to memory of 860	1800	cmd.exe	45
PID 1800 wrote to memory of 860	1800	cmd.exe	45
PID 1800 wrote to memory of 860	1800	cmd.exe	45
PID 1800 wrote to memory of 2696	1800	cmd.exe	46
PID 1800 wrote to memory of 2696	1800	cmd.exe	46
PID 1800 wrote to memory of 2696	1800	cmd.exe	46
PID 1800 wrote to memory of 2696	1800	cmd.exe	46
PID 1800 wrote to memory of 2544	1800	cmd.exe	47
PID 1800 wrote to memory of 2544	1800	cmd.exe	47
PID 1800 wrote to memory of 2544	1800	cmd.exe	47
PID 1800 wrote to memory of 2116	1800	cmd.exe	48
PID 1800 wrote to memory of 2116	1800	cmd.exe	48
PID 1800 wrote to memory of 2116	1800	cmd.exe	48
PID 1800 wrote to memory of 1976	1800	cmd.exe	49
PID 1800 wrote to memory of 1976	1800	cmd.exe	49
PID 1800 wrote to memory of 1976	1800	cmd.exe	49
PID 1800 wrote to memory of 1976	1800	cmd.exe	49
PID 1800 wrote to memory of 2364	1800	cmd.exe	50
PID 1800 wrote to memory of 2364	1800	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\Cohr.exe
"C:\Users\Admin\AppData\Local\Temp\Cohr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\17A6.tmp\17A7.bat C:\Users\Admin\AppData\Local\Temp\Cohr.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17A6.tmp\1.vbs"
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt2.exe
    PatBlt2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1992
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\noise.exe
    noise.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2640
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\BitBlt1.exe
    BitBlt1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:1028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BitBlt1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt3.exe
    PatBlt3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2768
- - C:\Windows\system32\timeout.exe
    timeout 40
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt3.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\ScreenShuffle.exe
    ScreenShuffle.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2696
- - C:\Windows\system32\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:2544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ScreenShuffle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt2.exe
    PatBlt2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1976
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:2364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt3.exe
    PatBlt3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:584
- - C:\Windows\system32\timeout.exe
    timeout 50
    3⤵
    - Delays execution with timeout.exe
    PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17A6.tmp\1.vbs

Filesize
35B

MD5
6adfeb16856b62ff68981963c066e921

SHA1
62f821a5cb2bb2f79549b978bbaea66b37a9ffb0

SHA256
f0e0eb5df7b1efde42c73cfd8fc2777a1c2c59b6dfefc164746c045631f8db45

SHA512
3cc6fd9a986f99093c9eb493396377306f8a92c74095e5f8cb60af0a1b6c2e5be8481048511591eceb03a73220fee24e47ba454cb4794935baa790c5d57c794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\17A7.bat

Filesize
454B

MD5
cf004c999dca00441092b939a1336851

SHA1
cc8eea88827d87a82fb497393ea83923dd80b524

SHA256
58d3fade23f8f61783c90321f4d243051e254d02fb0e51c1068d0de17e0f7e12

SHA512
5e1294d756cd42f6e55b0e097dc070e9a57779c34ebf838d41fe543c2c1038f2a580ff43d6885c89a9881a47e79f9e476d67a46338bde993ddce910a03ed6be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\BitBlt1.exe

Filesize
105KB

MD5
19a8a16e2a0d3225d1fc390c0a11b5dd

SHA1
ca235475f7a767e10c81426e013ee59106deb306

SHA256
8d6452b5a2dacbf6a1e064fc959f16a5ec13b5986a2687e70b5458eefdb60573

SHA512
d470d61fa9b19c34cd9ed916f9a6b44c821ed47082393212c17c743a764d2eed4dea2aae31f37d984f3c359ca646b34f0c6486f5f473d940c675974deb313ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt2.exe

Filesize
104KB

MD5
17723ffd40fbfad58209c4e22178f50e

SHA1
13252e03c9efdfbe0f5b260f0c624fd56afbdf27

SHA256
4410610f8d45d176887777b872c46b1bd25b71302d8c97e55c07e9008ea23064

SHA512
65d7637f464231002d5ac62cb6ff80fa066d0a86f0119d5772bc9062890f32dfa189f4e85ee841eb30e90dcec6600059858b5401c31d0e377049af046c4f9228

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\PatBlt3.exe

Filesize
104KB

MD5
08e74e5f077f0337d0c0d15dde94f8be

SHA1
d5ba49b2ddfe50ea4b214e0f447cbed7fb949279

SHA256
b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b

SHA512
f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\ScreenShuffle.exe

Filesize
104KB

MD5
042412143d162ce4877e700f1e0e00a3

SHA1
547b1358fbe4dc46d47ff516644a96f80f70f7ef

SHA256
29d6cb7222b713379111559d5a9df6f3f500e9b78940bafa82ebff0dc80f5690

SHA512
be2b148d9733519d9167fb2b3029abfa4ec6c64785c144ac49fe97e12f4cf1569f46c3a8466a8f4deef26f967363ab19eaf92f2a153b36cb9ea574048be94762

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\mbr.exe

Filesize
47KB

MD5
76a1a0e8eeae163bec539c7263279ae4

SHA1
a8435417cecd901fe9c9b96c0e828449e1569306

SHA256
1b4dce776992e1d51df9de1bdbee53bd38691070885f016b728a65579fa8ccc8

SHA512
8d3a1064f58e8c1fd37eb3900a81db768fea4f7f40a046e88f92b20bfe114a52573439a8839f9e28fdea7150931c55849e8d452afd526f5f7082370fccf389cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\noise.exe

Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\17A6.tmp\noise.wav

Filesize
1.0MB

MD5
cdc6c78486f27876fca2f9ce090fe2df

SHA1
5b2655c058b1a0415e00c207839113b863b0a750

SHA256
31be0f1ab83ae8bddccd657ca78c57ee26e2ac3b3a87637e3adc6405f018b399

SHA512
3f80524dbcfd2f1e756710f2f21cb498268da7528077833ed01b4f2030aa0df0f0528a69a6b516ad1e5988174d1395ae189981e707127bea0acdfa6be0477f2a

Download Submit
memory/1756-65-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1976-90-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1992-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2640-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2696-83-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2704-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2768-73-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads