Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 00:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe
-
Size
96KB
-
MD5
d86057092bc44f69442ef306916992a0
-
SHA1
fbac0befdc8a074b96a00991b7c9e4b2f2ef1b21
-
SHA256
eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fb
-
SHA512
55151b7ec1c26a35e622c449653853c17b5fe56d94f094878d3322d3d393caf1b9bb60ebddc2088728d654da2fa10eaecb34c7092bcce1d9f1149be1a4f9db5f
-
SSDEEP
1536:/TBBGNgzWwmhLmncdkadGVScGYJXeiyCnO+TI4K4I4i404R4Z1VcvsJOpPpMm4/O:NBGuW6cOadGRJuH7ut/Tdvd+hXV/vU3r
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" coegia.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe -
Executes dropped EXE 1 IoCs
pid Process 244 coegia.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /Q" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /i" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /k" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /h" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /j" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /C" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /A" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /Z" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /T" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /o" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /U" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /L" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /E" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /v" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /G" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /I" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /O" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /g" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /p" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /R" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /J" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /H" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /f" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /K" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /F" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /c" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /t" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /P" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /w" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /e" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /V" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /X" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /s" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /x" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /b" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /m" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /u" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /D" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /S" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /y" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /a" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /q" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /N" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /z" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /M" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /B" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /W" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /n" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /d" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /l" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /r" coegia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coegia = "C:\\Users\\Admin\\coegia.exe /Y" coegia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coegia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe 244 coegia.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1544 eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe 244 coegia.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1544 wrote to memory of 244 1544 eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe 89 PID 1544 wrote to memory of 244 1544 eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe 89 PID 1544 wrote to memory of 244 1544 eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe"C:\Users\Admin\AppData\Local\Temp\eef06d4d535f3f82fd75839ee782af64f9b2f5bb04cf4999df9b642d979be9fbN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\coegia.exe"C:\Users\Admin\coegia.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:81⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f8d5ef930c888a6e8119c744e0afd547
SHA1d75ace7791063ef4ec2f81a39ca2d9ed67c7700a
SHA256185819a015b905f26730f647afbaf73b05597480279bc5dc8efbf893e5646b65
SHA51252b890a56b505ff0665785c492b48c147f327d27faf1972c0fd0c6fe4232c433cbd482b6fcd5fc95f2b0b369df13cc0928b5deb45d8bdc9286fe12011e0deb9e