c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
80s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coinvault.exe
Size

544KB
MD5

b3a7fc445abfba3429094542049063c2
SHA1

451d2a60192d5a49c13dd4aed19c15448358969d
SHA256

2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
SHA512

711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
SSDEEP

12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

coinvault.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\coinvault.exe\""	coinvault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

coinvault.execsc.execvtres.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinvault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2744 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

coinvault.exe

pid process

2504 coinvault.exe
2504 coinvault.exe

pid	process
2744	vssadmin.exe

pid	process
2504	coinvault.exe
2504	coinvault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

coinvault.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2504	coinvault.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

coinvault.execsc.exe

description	pid	process	target process
PID 2504 wrote to memory of 356	2504	coinvault.exe	csc.exe
PID 2504 wrote to memory of 356	2504	coinvault.exe	csc.exe
PID 2504 wrote to memory of 356	2504	coinvault.exe	csc.exe
PID 2504 wrote to memory of 356	2504	coinvault.exe	csc.exe
PID 356 wrote to memory of 3032	356	csc.exe	cvtres.exe
PID 356 wrote to memory of 3032	356	csc.exe	cvtres.exe
PID 356 wrote to memory of 3032	356	csc.exe	cvtres.exe
PID 356 wrote to memory of 3032	356	csc.exe	cvtres.exe
PID 2504 wrote to memory of 2744	2504	coinvault.exe	vssadmin.exe
PID 2504 wrote to memory of 2744	2504	coinvault.exe	vssadmin.exe
PID 2504 wrote to memory of 2744	2504	coinvault.exe	vssadmin.exe
PID 2504 wrote to memory of 2744	2504	coinvault.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\coinvault.exe
"C:\Users\Admin\AppData\Local\Temp\coinvault.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwhkckhu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB79D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB79C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- C:\Windows\SysWOW64\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB79D.tmp

Filesize
1KB

MD5
68de434a4ba9deca321a9d0fd661130c

SHA1
dec773baec37eadac01e6e49632f9d02f24d5aff

SHA256
5a8e85b3344bc9e164faba34d2b862f7892834842583928f53da72dc50d01824

SHA512
a22fe756efe75a487ca432ff5ae2a2f853a5d36e4da321832107180954dbc383051d18f9d68a7caa28c70feaaf57335d3ad9684cbb192c27e2d01e7729908e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwhkckhu.dll

Filesize
13KB

MD5
99e737633d4ddc81a8dcff7b6ff25e17

SHA1
9261ccad0b475aea73fc8a39914ca7e4cf8d6526

SHA256
91a14bd5ceadc1fd41417fa3fd5976145894dd7209356b780625789e1625efc7

SHA512
5ab184e37e9aab9c279fe456c2a52d4a329dbc805eb59bcf9d353bc37d5bcdc4add7a5b8dd62c16a1d8894afa5ec392bc5635b7cf2aa26fc721db2e35d5321d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB79C.tmp

Filesize
652B

MD5
005164c8f0c1d5823434c27821c178ba

SHA1
d2b7ac4136a8b028aa1fb3de548d58199ea97196

SHA256
388c08c34639b35918b9fead65930f71dd191d052a788546e149f44f57318061

SHA512
d6a00489a3f41d6bbaaa830bdd41beea66d5060533028e04a0df7d2f2c9ec308c6e7bcdcfc1970d226cf31cece3b16136bfff4472a4d853e67dce82f08db1aed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwhkckhu.0.cs

Filesize
22KB

MD5
876e1e05167f8d7cd0998c864f730338

SHA1
b3a0dd03960b49d4620553e53a5194eb7483b30e

SHA256
77ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b

SHA512
390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwhkckhu.cmdline

Filesize
347B

MD5
57bc45edeff7a89edad843556adc5670

SHA1
ad1992c9a5ad8664bda13c3f9977d3ab5ceceebc

SHA256
2e4b661cf7c17e9dbf96888f757f116cfa29686fa79817a9ee2ca9211549ebcf

SHA512
ef827f357205d91a29450383714b8bce3c793253363da6a3d37b4ac8dc422e0c186ac1c0a9f7411d9828b80e7b5720ea7592cf48a8855df0986114e9791c53b0

Download Submit
memory/356-8-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/356-15-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

Filesize
4KB

Download
memory/2504-2-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-18-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-19-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-20-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-21-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download