c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
600s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coinvault.exe
Size

544KB
MD5

b3a7fc445abfba3429094542049063c2
SHA1

451d2a60192d5a49c13dd4aed19c15448358969d
SHA256

2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
SHA512

711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
SSDEEP

12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\coinvault.exe\""	coinvault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinvault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2752	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	coinvault.exe
628	coinvault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	coinvault.exe
Token: SeBackupPrivilege	2452	vssvc.exe
Token: SeRestorePrivilege	2452	vssvc.exe
Token: SeAuditPrivilege	2452	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2660	628	coinvault.exe	31
PID 628 wrote to memory of 2660	628	coinvault.exe	31
PID 628 wrote to memory of 2660	628	coinvault.exe	31
PID 628 wrote to memory of 2660	628	coinvault.exe	31
PID 2660 wrote to memory of 2952	2660	csc.exe	33
PID 2660 wrote to memory of 2952	2660	csc.exe	33
PID 2660 wrote to memory of 2952	2660	csc.exe	33
PID 2660 wrote to memory of 2952	2660	csc.exe	33
PID 628 wrote to memory of 2752	628	coinvault.exe	34
PID 628 wrote to memory of 2752	628	coinvault.exe	34
PID 628 wrote to memory of 2752	628	coinvault.exe	34
PID 628 wrote to memory of 2752	628	coinvault.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\coinvault.exe
"C:\Users\Admin\AppData\Local\Temp\coinvault.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umrxs_nc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE081.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE080.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE081.tmp

Filesize
1KB

MD5
4301b8a75db6413aab833081ad9f6001

SHA1
70f46cb5e9c3556cee4603c24f03605cc7facc75

SHA256
8dd89954334ec514fd6df7a33ecd1f3b3b90d7a827dc045e2e81fe066c8a2061

SHA512
2c88873eb3ef2fb183ab84fbd1fe8520e770869c6f96c728a39effc887ae14b2113b78f3e810514e6b6bab7f0b9ac641f104a73d52b2b522ab7d130da28ba1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\umrxs_nc.dll

Filesize
13KB

MD5
9c61fe3bbc72968bfc129fbda7a6d524

SHA1
fae77a151f868025ce760ab51f9a50ce190dffaa

SHA256
e58336d366c42c1e9b256e0f950898180526f06d6ebc80fef551c82cd547cff8

SHA512
682f88177c0f9390dcf1addce8852ec701e17e5ea1995503842a0b1cfe9b4afa2518fbfbbd1442fe92b84618188bdcf15c2783d10b8a2ba4ed634fc159ffdcb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE080.tmp

Filesize
652B

MD5
2ade4c78e49c32ad882d0a26bb04c94f

SHA1
4ca328f852e1541b991b8ca1fe3ee1df5c788aec

SHA256
b707e22d44ecaef913b4749f75c88580c42cf67c0377a4fda037f661de109afb

SHA512
794a0c1c89c0afb8d65d3e19df592d0c306a7065e6030dab9ac3dc6040e14cda7a8d719747c7ff106574bcc08c3042eabcdc600f4fc5dfd7263bbf1e9d475912

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umrxs_nc.0.cs

Filesize
22KB

MD5
876e1e05167f8d7cd0998c864f730338

SHA1
b3a0dd03960b49d4620553e53a5194eb7483b30e

SHA256
77ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b

SHA512
390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umrxs_nc.cmdline

Filesize
347B

MD5
4c60294f35f7f1c79895d7a299449891

SHA1
74aaaf3c9a23945d70d34ba30c24158219994616

SHA256
7fc7a14d719cd045109472dafb00ff370dadb07ecabfc8d149a107fb458bc473

SHA512
c5bf71a7f6ad3cb68ce86efd0f9b93a99084b9bcfa0fe329e33f632405b59e835b93b3bfc33f0b0fa08f00d80c9fdb421b0e941345cde26493248ce3fc512f47

Download Submit
memory/628-0-0x0000000074561000-0x0000000074562000-memory.dmp

Filesize
4KB

Download
memory/628-2-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-1-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-18-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-19-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-20-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/628-21-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-8-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-15-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download