c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coinvault.exe
Size

544KB
MD5

b3a7fc445abfba3429094542049063c2
SHA1

451d2a60192d5a49c13dd4aed19c15448358969d
SHA256

2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
SHA512

711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
SSDEEP

12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

coinvault.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\coinvault.exe\""	coinvault.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

coinvault.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	coinvault.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	coinvault.exe

Drops file in Windows directory 3 IoCs

Processes:

coinvault.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	coinvault.exe
File created	C:\Windows\assembly\Desktop.ini	coinvault.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	coinvault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

coinvault.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinvault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

coinvault.exe

pid process

632 coinvault.exe
632 coinvault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

coinvault.exe

description pid process

Token: SeDebugPrivilege 632 coinvault.exe

pid	process
632	coinvault.exe
632	coinvault.exe

description	pid	process
Token: SeDebugPrivilege	632	coinvault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

coinvault.execsc.exe

description	pid	process	target process
PID 632 wrote to memory of 3868	632	coinvault.exe	csc.exe
PID 632 wrote to memory of 3868	632	coinvault.exe	csc.exe
PID 632 wrote to memory of 3868	632	coinvault.exe	csc.exe
PID 3868 wrote to memory of 32	3868	csc.exe	cvtres.exe
PID 3868 wrote to memory of 32	3868	csc.exe	cvtres.exe
PID 3868 wrote to memory of 32	3868	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\coinvault.exe
"C:\Users\Admin\AppData\Local\Temp\coinvault.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3qxrgga.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97DB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97EB.tmp

Filesize
1KB

MD5
9f6c64cd56d29d86a0cf1dcbde029679

SHA1
8789fc3fc44163f237c61c8b9af8bda332e89116

SHA256
f399c575b2d9b1b08fd30f89b9ced328787768d49ceaf4971a141ee249a4cfcd

SHA512
caf996a21f1d247ed2f0f713a34ea4ff4ca6339438d4b437aa75e2bced17fde21073b7d8d39c5f87db3fb0ed64c268ea349b76a83abf8c40af6cc72bb3021d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3qxrgga.dll

Filesize
13KB

MD5
a59c132e02c40c3f11995467c8e8386d

SHA1
eb5dc316dec2419398f650e96f645d1e944a907b

SHA256
f9a24eed558c3e5b00f0d9457ed434394495b35e7fa5ec7154b52e768aba3f81

SHA512
2d7cd10fc6e8f27df5cb65722c30a0f7a8456db4ed9bf897605a72acb9dd64148ae7846f2fdff92df182569713f0f65f302f7f8676f971447e26ec563da3342c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC97DB.tmp

Filesize
652B

MD5
bd23cd7b17cf722ffd4b31339d1ff035

SHA1
0fc66a3587cd09da54d620e039c6eb0603f89c30

SHA256
8ad7611315fb4d21f8ab67d64f4e56cc83f516e7319398ab0238a8790b4ac609

SHA512
3d5d485dd9ab8d2639f6d6786e0606094e054e444fe0264b76024a00a6750589d2b264d840273667465af42887fe608f56d17a3d3af3aa2c759f9f9692e8aed4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3qxrgga.0.cs

Filesize
22KB

MD5
876e1e05167f8d7cd0998c864f730338

SHA1
b3a0dd03960b49d4620553e53a5194eb7483b30e

SHA256
77ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b

SHA512
390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3qxrgga.cmdline

Filesize
347B

MD5
b30ce0623e38f22121a6b4c877136f5f

SHA1
1f008cb527c22208e48f8b32210aafec1801d4c6

SHA256
a8697110f4545a929a1fdf5313682bbb8b8e3883e79a12eac1508d48e9a181fd

SHA512
2164a656c254e4481a9c8b1cf8b27537d0865fa978a3e6b42ef88362de61209a46b5655e3747e642b26a5152f73baafd600ea77271405b6784cf39cf68d82962

Download Submit
memory/632-22-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/632-2-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-1-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-20-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-21-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-0-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/632-23-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-24-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-25-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/632-26-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-10-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download
memory/3868-17-0x0000000074AF0000-0x00000000750A1000-memory.dmp

Filesize
5.7MB

Download