c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
300s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coinvault.exe
Size

544KB
MD5

b3a7fc445abfba3429094542049063c2
SHA1

451d2a60192d5a49c13dd4aed19c15448358969d
SHA256

2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
SHA512

711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
SSDEEP

12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\coinvault.exe\""	coinvault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinvault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2820	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	coinvault.exe
1996	coinvault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	coinvault.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1352	1996	coinvault.exe	31
PID 1996 wrote to memory of 1352	1996	coinvault.exe	31
PID 1996 wrote to memory of 1352	1996	coinvault.exe	31
PID 1996 wrote to memory of 1352	1996	coinvault.exe	31
PID 1352 wrote to memory of 2772	1352	csc.exe	33
PID 1352 wrote to memory of 2772	1352	csc.exe	33
PID 1352 wrote to memory of 2772	1352	csc.exe	33
PID 1352 wrote to memory of 2772	1352	csc.exe	33
PID 1996 wrote to memory of 2820	1996	coinvault.exe	34
PID 1996 wrote to memory of 2820	1996	coinvault.exe	34
PID 1996 wrote to memory of 2820	1996	coinvault.exe	34
PID 1996 wrote to memory of 2820	1996	coinvault.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\coinvault.exe
"C:\Users\Admin\AppData\Local\Temp\coinvault.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\opnqzeus.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD21F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD21E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD21F.tmp

Filesize
1KB

MD5
5e08ad9db807be96a2c7c3f589c31d44

SHA1
3419b71cd2327f5bc077b0eb069e7e8a5a264287

SHA256
54c550641afa6c5bb40d81e7c7965933cc3a80e1e75672842042f86dc06dd415

SHA512
bcb9a4b801b707f93199ba6c8b7bfb058d6e8c850cdc329bb1a1306df02515722d69ead3df3c2620b7f193aed1d3d5bf24f816ce618ea77200584d3169de5879

Download Submit
C:\Users\Admin\AppData\Local\Temp\opnqzeus.dll

Filesize
13KB

MD5
3cd8103e150b7b6203013534a2aa8b77

SHA1
9759ab65f6ff3201b76eb8ddadb0b84d02d07c3a

SHA256
7968681a93605c9323bb659639fb708b2779ecfe9f499580b762b9d475f65f55

SHA512
0c0ebb67aa559c99ade9a546411400c50f7fed125ac83e5d76e963ffafeb0a1b2f061861f6394d7aa93320b0b0135c0f14687262e7cdad375a28afb621fc298c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD21E.tmp

Filesize
652B

MD5
78ad251ba5750a7476e7906f6725861f

SHA1
7034d5bc3a3dcd4220f72f577d98a1a633013030

SHA256
6dba8277e092f988237d234cd69150addfc0ff12c8f66f90d4a033f6fbac94b6

SHA512
d40b4de9322c77ca681edb7ee6256b21e0c003ae9094a84395f15fdfaa9687b5a1f507fc3aaf912f05c3d97e0eb2532facbc2078f490cb67d1f5073754dc3356

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\opnqzeus.0.cs

Filesize
22KB

MD5
876e1e05167f8d7cd0998c864f730338

SHA1
b3a0dd03960b49d4620553e53a5194eb7483b30e

SHA256
77ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b

SHA512
390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\opnqzeus.cmdline

Filesize
347B

MD5
33b8c26b1db8c7fb503c58e631085d90

SHA1
e4b7902d1d20f52be50e4d584953354f7b633759

SHA256
27bb2233c5b6c434c84ef2f7c38d5838085fd3ce9c8b9f3da2dcceb3c30ed6ad

SHA512
a9be69bd233f292ae49ab1149913064d2e234f1391f4b84fc2111482b9abf46325a306ef6442c1a45e17b72703aeffae5ff46db5b205e34e1e64590143a6f266

Download Submit
memory/1352-8-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-15-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-0-0x0000000074361000-0x0000000074362000-memory.dmp

Filesize
4KB

Download
memory/1996-2-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-1-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-18-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-19-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-20-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-21-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download