0b3171ab941a2a9161e76f00b695c7a8d5edc4c21d5a87e6b18dc8074bc32b4e

Analysis

max time kernel
143s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aicoin-latestx64.exe
Size

114.3MB
MD5

3e83308a72c5b6deabe155090beb7b6a
SHA1

7cc1f06c6c4d57c0d284b4dfdfa6392ce0c056a0
SHA256

0b3171ab941a2a9161e76f00b695c7a8d5edc4c21d5a87e6b18dc8074bc32b4e
SHA512

bea4a7e04f5e7bd499086a38f9b3b1430230c196ed08cd8d426a114ac4411b04b1396bbab19ff806f441f4e9cf7c9e7c69dab21c7a80b9b275929f4197ffc64c
SSDEEP

3145728:E0XhSQkoUZ8rdpbsCNG9hxVjPUsEXnOvvBJh5Qu/WI:phS/udpLYbjk+Br9F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	aicoin-latestx64.tmp

Loads dropped DLL 4 IoCs

pid	Process
2408	aicoin-latestx64.exe
2340	aicoin-latestx64.tmp
2340	aicoin-latestx64.tmp
2340	aicoin-latestx64.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aicoin-latestx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aicoin-latestx64.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	aicoin-latestx64.tmp
2340	aicoin-latestx64.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	aicoin-latestx64.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	aicoin-latestx64.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31
PID 2408 wrote to memory of 2340	2408	aicoin-latestx64.exe	31

C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe
"C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\is-R3SMV.tmp\aicoin-latestx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R3SMV.tmp\aicoin-latestx64.tmp" /SL5="$3014E,119006979,737280,C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\background_finish.png

Filesize
145KB

MD5
825b89655e28d2b63e79ab3c7e5149ef

SHA1
1b3785bdd7c56206f58fe2df0f0aca559294b498

SHA256
68bf9818fcd2fca56379a467815a322ebf836d98e06e432a366d4e7cedafb658

SHA512
40a2ece65eef2c2cff2c75fa280e2c41666a83bcc0e5cb8d3a04797e86b7154b9c894433823e6650b2fd0234b43ec736f9a6f7fc2ea1d94b3adb664f405176f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\background_installing.png

Filesize
176KB

MD5
d61bec7dff9508f385ad11ea6c3b83f7

SHA1
70c91c4e917842d245069dbc9843de7489b8f143

SHA256
d3a38c6f063ac100700dc65efd1b36b1730ef7f8786bc1008bd2e6d5e1ebaca4

SHA512
643addb428af5ed0beb850c381be9329cf909d10ba0495f8d1cffb444c37894808d6962baf124c1cc625ada34b23774ca7739d75d70c1a341b184d298c567aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\background_messagebox.png

Filesize
4KB

MD5
d1a4f5ba76b7e7a702f13fbd9bbb76c7

SHA1
2c8e3fbf70f0a89a833c3607fface79a9072d324

SHA256
bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724

SHA512
6afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\background_welcome.png

Filesize
150KB

MD5
cae707bd9eb5abfd065c6d5145549cee

SHA1
e47ce3d703beb58366cc3075bc858f3ba5f103e8

SHA256
2f7ba5736572a75b3ba53667e232fc28c77950cde0db5962dad8e389ace34140

SHA512
a9932287d5be67f359279f9438beb4e2e5cfde417a82c69f674e2aa82f6a08efe3cf6feeac49c0a3f20508ee3eee72350e23b999c0f1fb28576f928b993e1788

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_browse.png

Filesize
13KB

MD5
d724d25b757d8f203cd6777da8cd17a8

SHA1
51ac4866ba5550c73512a05fa4cccf36beb05a61

SHA256
78114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0

SHA512
183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_cancel.png

Filesize
6KB

MD5
fb8e04322eee99db624e395d969dbc59

SHA1
4ac99299b54c657c0d40679fc6e4f3840638ca58

SHA256
e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9

SHA512
90020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_close.png

Filesize
3KB

MD5
2b29884a02b398ef5b3d4cb2db1e5c34

SHA1
a8f7e6525378b22185a0bd3010d1b86fca1a9c2f

SHA256
789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025

SHA512
9093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_customize_setup.png

Filesize
10KB

MD5
9fd5cf39cb1d65a7dd9fc7396fc03550

SHA1
41179665031dc8031197ee7450fc49b3efba052f

SHA256
adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193

SHA512
a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_finish.png

Filesize
15KB

MD5
ad97fd4c6b284c686ad23f3212d7389c

SHA1
4e82f8151a7b58f7a9afa8d6f6db97684c78c2a9

SHA256
411caa8d2b27c64c092d0e673e4ae06fdef0d7d50e31dfb1b3b3f51d38cc2253

SHA512
cff27c4b705ac0bd44cc58d58496d54477da8bbc9ed6b4ad1ff5c05940654c1ad35be8d8ef6f136f5e9e96789b9ed62a2b0c83daef28c18f3224ea5a368ed86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_license.png

Filesize
11KB

MD5
410c7780e6700028ab373f9efe75f728

SHA1
4c6eb2e50b83e2bc8f58aa0b643a549028b16603

SHA256
16f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75

SHA512
0e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_minimize.png

Filesize
3KB

MD5
53377fd010771582b62621793237d97c

SHA1
7028bce353330e3fc2cfe0e3c94a9cb7c1f116e7

SHA256
7967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1

SHA512
a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_ok.png

Filesize
6KB

MD5
558e7219fc377b63365513c4e017cf24

SHA1
ac508857ab9657abc0f731ff09712bbafadd1f0b

SHA256
43818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466

SHA512
dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_setup_or_next.png

Filesize
16KB

MD5
f759680e272b5fc9e60738b7dbbbc623

SHA1
defcdd008ddb3a3d5e4da4824f6114649c2e2c23

SHA256
ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31

SHA512
cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\button_uncustomize_setup.png

Filesize
10KB

MD5
aa5886c0e8b173955df656efbcbc00d4

SHA1
a05b410e756d4b2b6c30a448a55777691c55b2dd

SHA256
7b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1

SHA512
15d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\checkbox_RunApp.png

Filesize
18KB

MD5
d940cc6ffe0711645658760a85fd7205

SHA1
34d0bece8d647c23cf22d736ab5d07c0514ffabe

SHA256
87ebac7c4c2120f7e12be062da1c225c7b180aabc2682a6be3ae18f3cdd5198c

SHA512
a89197a2b18bdc9955b11fe2fce449c5ff6c5cd2d6f53af75c9a0494018a6fc59ef7f1bec2c494520970967606a79072e77853d6d0c76393de50d684a54b3614

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\checkbox_license.png

Filesize
27KB

MD5
e1ca6a42984d8b7ededb48a3f7133791

SHA1
b1c13e402f939ac9f00a795482a6f4b80b27a5bd

SHA256
023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d

SHA512
80a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\progressbar_background.png

Filesize
283B

MD5
04dca3926efaa3851fd98aecb4315ef8

SHA1
8d431629c573a370df73741ad010463af635b8bd

SHA256
648c2e85e064672bb47b3750215470e1b7ea3e4217f777c6faa35446d449b4cf

SHA512
a54930c6a019236eb2ef3b38fe214f5a57645ca58c5896dd702256254279842413c9f4c7e8d60418f270a94f80ca7246a5d3a433503048ebd07ef7d5ddd774c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\progressbar_foreground.png

Filesize
286B

MD5
2205f8b79ffdd37af080e444c424e513

SHA1
95294bf76c00cf8677119a204046182887c0ec8d

SHA256
d2ce48f668bfeee1500c9aaafba2cfbc8ee7c3c34ec2afec3140aa1d5ff22b57

SHA512
1be8de0c734e96bd81664b74c40cc1e174c9cad93ed3a6af403be3f32c227faeaee02398108e3a87a7a56cbfac963f996de2bc9495024f47715ecc3dbeca7c83

Download Submit
\AICoin2.10.0.5 sbo\aicoin\WdsUnattend.exe

Filesize
34KB

MD5
dde4e4e601e8b0e7d1621167b709adb4

SHA1
cf152fff93d8bfc7bcde44e41954a36600c4c599

SHA256
53a5ebfe5356da897d550be1017f0c7334d8d9971288abf1398661e288cd983a

SHA512
f9b561ea64f374fa3548a09e26a00ea07baa2fd2d328ebc3668e793c4ebd6c44e8f66f04634a8e3f87b6888f60cc4eb663d073f4384a49b8a435dcc56a6ac8a4

Download Submit
\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-N18QO.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-R3SMV.tmp\aicoin-latestx64.tmp

Filesize
2.9MB

MD5
590344d59b18eae2e904a1ac1a3fba8c

SHA1
53bfc11cd47fd4ac3daafd5b55039822ce3d3d5d

SHA256
5a392c9caef84264432193d73d22a3021e677c0272354d9dccdfde5371f94bb4

SHA512
1251fec0107223b3339e342a2359af80bedcd03cc36f9858608c685c918cfe5cbc9abb3b8d842638affbf8eee965f7a9ac8983695d6fc1a1d72da76749de586d

Download Submit
memory/2340-176-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2340-8-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2340-126-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2340-124-0x0000000003260000-0x000000000326F000-memory.dmp

Filesize
60KB

Download
memory/2340-53-0x0000000003260000-0x000000000326F000-memory.dmp

Filesize
60KB

Download
memory/2340-177-0x0000000003260000-0x000000000326F000-memory.dmp

Filesize
60KB

Download
memory/2340-361-0x0000000003260000-0x000000000326F000-memory.dmp

Filesize
60KB

Download
memory/2340-332-0x0000000003260000-0x000000000326F000-memory.dmp

Filesize
60KB

Download
memory/2340-125-0x0000000003300000-0x0000000003315000-memory.dmp

Filesize
84KB

Download
memory/2340-60-0x0000000003300000-0x0000000003315000-memory.dmp

Filesize
84KB

Download
memory/2340-331-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2340-333-0x0000000003300000-0x0000000003315000-memory.dmp

Filesize
84KB

Download
memory/2408-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2408-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2408-122-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download