d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc

Analysis

max time kernel
146s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cohr.exe
Size

1.9MB
MD5

f63c3b09477f0fd95a747f9491044923
SHA1

572d425610224a7f9e8874abd2b0b7d76cd22bf2
SHA256

d635449c54ead00d629bc05c87146b3942375cc67b4726c31ea6a3dfbe298fbc
SHA512

88256ff18ba5583a06fe6bf096afc53e458b547ccc48c81d2b903b32409b4a1ff25cb28f731168212a21d734425196e4d6bb14c09548ded1c8524d34e23150a7
SSDEEP

24576:sHnaHPB9cf8XFqztAWByVFdk52o/pQ0WfMQ1jEqpFfrRV+:BH59cf8XFqztAWByVFdOF/Gn1YIdrRV+

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Cohr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
3020	mbr.exe
4196	PatBlt2.exe
2540	noise.exe
5772	BitBlt1.exe
5272	PatBlt3.exe
5416	ScreenShuffle.exe
2244	PatBlt2.exe
4764	PatBlt3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
3648	timeout.exe
4260	timeout.exe
4036	timeout.exe
3808	timeout.exe
3932	timeout.exe
3512	timeout.exe
3204	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4532	taskkill.exe
4136	taskkill.exe
4692	taskkill.exe
2428	taskkill.exe
4240	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	3580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3580	AUDIODG.EXE
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3076	4872	Cohr.exe	81
PID 4872 wrote to memory of 3076	4872	Cohr.exe	81
PID 3076 wrote to memory of 5632	3076	cmd.exe	84
PID 3076 wrote to memory of 5632	3076	cmd.exe	84
PID 3076 wrote to memory of 3020	3076	cmd.exe	85
PID 3076 wrote to memory of 3020	3076	cmd.exe	85
PID 3076 wrote to memory of 3020	3076	cmd.exe	85
PID 3076 wrote to memory of 4196	3076	cmd.exe	86
PID 3076 wrote to memory of 4196	3076	cmd.exe	86
PID 3076 wrote to memory of 4196	3076	cmd.exe	86
PID 3076 wrote to memory of 3648	3076	cmd.exe	87
PID 3076 wrote to memory of 3648	3076	cmd.exe	87
PID 3076 wrote to memory of 2540	3076	cmd.exe	95
PID 3076 wrote to memory of 2540	3076	cmd.exe	95
PID 3076 wrote to memory of 2540	3076	cmd.exe	95
PID 3076 wrote to memory of 4260	3076	cmd.exe	96
PID 3076 wrote to memory of 4260	3076	cmd.exe	96
PID 3076 wrote to memory of 4240	3076	cmd.exe	102
PID 3076 wrote to memory of 4240	3076	cmd.exe	102
PID 3076 wrote to memory of 5772	3076	cmd.exe	103
PID 3076 wrote to memory of 5772	3076	cmd.exe	103
PID 3076 wrote to memory of 5772	3076	cmd.exe	103
PID 3076 wrote to memory of 4036	3076	cmd.exe	104
PID 3076 wrote to memory of 4036	3076	cmd.exe	104
PID 3076 wrote to memory of 4532	3076	cmd.exe	106
PID 3076 wrote to memory of 4532	3076	cmd.exe	106
PID 3076 wrote to memory of 5272	3076	cmd.exe	107
PID 3076 wrote to memory of 5272	3076	cmd.exe	107
PID 3076 wrote to memory of 5272	3076	cmd.exe	107
PID 3076 wrote to memory of 3808	3076	cmd.exe	108
PID 3076 wrote to memory of 3808	3076	cmd.exe	108
PID 3076 wrote to memory of 4136	3076	cmd.exe	109
PID 3076 wrote to memory of 4136	3076	cmd.exe	109
PID 3076 wrote to memory of 5416	3076	cmd.exe	110
PID 3076 wrote to memory of 5416	3076	cmd.exe	110
PID 3076 wrote to memory of 5416	3076	cmd.exe	110
PID 3076 wrote to memory of 3932	3076	cmd.exe	111
PID 3076 wrote to memory of 3932	3076	cmd.exe	111
PID 3076 wrote to memory of 4692	3076	cmd.exe	112
PID 3076 wrote to memory of 4692	3076	cmd.exe	112
PID 3076 wrote to memory of 2244	3076	cmd.exe	113
PID 3076 wrote to memory of 2244	3076	cmd.exe	113
PID 3076 wrote to memory of 2244	3076	cmd.exe	113
PID 3076 wrote to memory of 3512	3076	cmd.exe	114
PID 3076 wrote to memory of 3512	3076	cmd.exe	114
PID 3076 wrote to memory of 2428	3076	cmd.exe	115
PID 3076 wrote to memory of 2428	3076	cmd.exe	115
PID 3076 wrote to memory of 4764	3076	cmd.exe	116
PID 3076 wrote to memory of 4764	3076	cmd.exe	116
PID 3076 wrote to memory of 4764	3076	cmd.exe	116
PID 3076 wrote to memory of 3204	3076	cmd.exe	117
PID 3076 wrote to memory of 3204	3076	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\Cohr.exe
"C:\Users\Admin\AppData\Local\Temp\Cohr.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3151.tmp\3152.bat C:\Users\Admin\AppData\Local\Temp\Cohr.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3151.tmp\1.vbs"
    3⤵
    PID:5632
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt2.exe
    PatBlt2.exe
    3⤵
    - Executes dropped EXE
    PID:4196
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\noise.exe
    noise.exe
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:4260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\BitBlt1.exe
    BitBlt1.exe
    3⤵
    - Executes dropped EXE
    PID:5772
- - C:\Windows\system32\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:4036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BitBlt1.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt3.exe
    PatBlt3.exe
    3⤵
    - Executes dropped EXE
    PID:5272
- - C:\Windows\system32\timeout.exe
    timeout 40
    3⤵
    - Delays execution with timeout.exe
    PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt3.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\ScreenShuffle.exe
    ScreenShuffle.exe
    3⤵
    - Executes dropped EXE
    PID:5416
- - C:\Windows\system32\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:3932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ScreenShuffle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt2.exe
    PatBlt2.exe
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:3512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im PatBlt2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt3.exe
    PatBlt3.exe
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Windows\system32\timeout.exe
    timeout 50
    3⤵
    - Delays execution with timeout.exe
    PID:3204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3151.tmp\1.vbs

Filesize
35B

MD5
6adfeb16856b62ff68981963c066e921

SHA1
62f821a5cb2bb2f79549b978bbaea66b37a9ffb0

SHA256
f0e0eb5df7b1efde42c73cfd8fc2777a1c2c59b6dfefc164746c045631f8db45

SHA512
3cc6fd9a986f99093c9eb493396377306f8a92c74095e5f8cb60af0a1b6c2e5be8481048511591eceb03a73220fee24e47ba454cb4794935baa790c5d57c794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\3152.bat

Filesize
454B

MD5
cf004c999dca00441092b939a1336851

SHA1
cc8eea88827d87a82fb497393ea83923dd80b524

SHA256
58d3fade23f8f61783c90321f4d243051e254d02fb0e51c1068d0de17e0f7e12

SHA512
5e1294d756cd42f6e55b0e097dc070e9a57779c34ebf838d41fe543c2c1038f2a580ff43d6885c89a9881a47e79f9e476d67a46338bde993ddce910a03ed6be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\BitBlt1.exe

Filesize
105KB

MD5
19a8a16e2a0d3225d1fc390c0a11b5dd

SHA1
ca235475f7a767e10c81426e013ee59106deb306

SHA256
8d6452b5a2dacbf6a1e064fc959f16a5ec13b5986a2687e70b5458eefdb60573

SHA512
d470d61fa9b19c34cd9ed916f9a6b44c821ed47082393212c17c743a764d2eed4dea2aae31f37d984f3c359ca646b34f0c6486f5f473d940c675974deb313ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt2.exe

Filesize
104KB

MD5
17723ffd40fbfad58209c4e22178f50e

SHA1
13252e03c9efdfbe0f5b260f0c624fd56afbdf27

SHA256
4410610f8d45d176887777b872c46b1bd25b71302d8c97e55c07e9008ea23064

SHA512
65d7637f464231002d5ac62cb6ff80fa066d0a86f0119d5772bc9062890f32dfa189f4e85ee841eb30e90dcec6600059858b5401c31d0e377049af046c4f9228

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\PatBlt3.exe

Filesize
104KB

MD5
08e74e5f077f0337d0c0d15dde94f8be

SHA1
d5ba49b2ddfe50ea4b214e0f447cbed7fb949279

SHA256
b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b

SHA512
f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\ScreenShuffle.exe

Filesize
104KB

MD5
042412143d162ce4877e700f1e0e00a3

SHA1
547b1358fbe4dc46d47ff516644a96f80f70f7ef

SHA256
29d6cb7222b713379111559d5a9df6f3f500e9b78940bafa82ebff0dc80f5690

SHA512
be2b148d9733519d9167fb2b3029abfa4ec6c64785c144ac49fe97e12f4cf1569f46c3a8466a8f4deef26f967363ab19eaf92f2a153b36cb9ea574048be94762

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\mbr.exe

Filesize
47KB

MD5
76a1a0e8eeae163bec539c7263279ae4

SHA1
a8435417cecd901fe9c9b96c0e828449e1569306

SHA256
1b4dce776992e1d51df9de1bdbee53bd38691070885f016b728a65579fa8ccc8

SHA512
8d3a1064f58e8c1fd37eb3900a81db768fea4f7f40a046e88f92b20bfe114a52573439a8839f9e28fdea7150931c55849e8d452afd526f5f7082370fccf389cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\noise.exe

Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3151.tmp\noise.wav

Filesize
1.0MB

MD5
cdc6c78486f27876fca2f9ce090fe2df

SHA1
5b2655c058b1a0415e00c207839113b863b0a750

SHA256
31be0f1ab83ae8bddccd657ca78c57ee26e2ac3b3a87637e3adc6405f018b399

SHA512
3f80524dbcfd2f1e756710f2f21cb498268da7528077833ed01b4f2030aa0df0f0528a69a6b516ad1e5988174d1395ae189981e707127bea0acdfa6be0477f2a

Download Submit
memory/2244-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2540-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3020-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4196-31-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5272-49-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5416-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5772-40-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads