Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 01:41
Behavioral task
behavioral1
Sample
1d8d07a2fd40cc33a31536f83a5f1195.exe
Resource
win7-20240611-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1d8d07a2fd40cc33a31536f83a5f1195.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
1d8d07a2fd40cc33a31536f83a5f1195.exe
-
Size
94KB
-
MD5
1d8d07a2fd40cc33a31536f83a5f1195
-
SHA1
7565580cc47d7136bb210abf1b4f783437231670
-
SHA256
455b0b4c5ec70b60ea135fc889e56b418b977a295b85c8ceb5cd43aab28effb0
-
SHA512
92f9c9dde8e2a6e6b8d56f743fcdd6449a260a3a0881c8b62ca9b13070d012ea0b5442a7b441cd97b1b2dd67f949fa33618d91c85ed73639d8e28c20b5bf3216
-
SSDEEP
1536:eskKNqRSQ911QzZ+qdFYg9u9c0unIL4s60s7/XwPivhAho4TFdoN8jGhTl0:es9NUSKbeZ+cFwc0JLA0sAcAO4BdoT5
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3G4L2686-J4L1-X5MV-12RE-JFH5V38F5030} 1d8d07a2fd40cc33a31536f83a5f1195.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3G4L2686-J4L1-X5MV-12RE-JFH5V38F5030}\StubPath = "C:\\Windows\\system32\\Coffin Of Evil.exe Restart" 1d8d07a2fd40cc33a31536f83a5f1195.exe -
resource yara_rule behavioral2/memory/1112-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1112-20-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdocx = "C:\\Windows\\system32\\Coffin Of Evil.exe" 1d8d07a2fd40cc33a31536f83a5f1195.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcrx = "C:\\Windows\\system32\\Coffin Of Evil.exe" 1d8d07a2fd40cc33a31536f83a5f1195.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coffin Of Evil.exe 1d8d07a2fd40cc33a31536f83a5f1195.exe File opened for modification C:\Windows\SysWOW64\Coffin Of Evil.exe 1d8d07a2fd40cc33a31536f83a5f1195.exe File created C:\Windows\SysWOW64\logs.dat 1d8d07a2fd40cc33a31536f83a5f1195.exe File opened for modification C:\Windows\SysWOW64\logs.dat 1d8d07a2fd40cc33a31536f83a5f1195.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe Token: SeDebugPrivilege 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe Token: SeDebugPrivilege 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe Token: SeDebugPrivilege 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89 PID 1112 wrote to memory of 4004 1112 1d8d07a2fd40cc33a31536f83a5f1195.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8d07a2fd40cc33a31536f83a5f1195.exe"C:\Users\Admin\AppData\Local\Temp\1d8d07a2fd40cc33a31536f83a5f1195.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:81⤵PID:432