f725bf614120e26b774341f54d73210aea60205c2723e155cb6fd09fa4411b56

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coinbase.exe
Size

1.1MB
MD5

d658dadccb4a21c0b50d0dc0406f9c3f
SHA1

eb50304a3fcc3664f7f7f598830eb379f347b793
SHA256

f725bf614120e26b774341f54d73210aea60205c2723e155cb6fd09fa4411b56
SHA512

73b4fae7dc1a8363a6a2eea1610d2a6655367dbac393e7e00acf6277773d561f76d4bc47824de3e588d5ec91566b35f0233d3f143f80bcf7dd9b57c2a54c86bd
SSDEEP

24576:QMjh7ExHIySDQwfx7FbD/KhlcBQgbLY1Yl05bmktUNudtJjdPrF:jmHZSDQyJP/+jgbLuYlab7SNudXjdTF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1692	coinbase.tmp
3056	coinbase.tmp

Loads dropped DLL 10 IoCs

pid	Process
2488	coinbase.exe
1692	coinbase.tmp
1692	coinbase.tmp
1692	coinbase.tmp
3020	coinbase.exe
3056	coinbase.tmp
3056	coinbase.tmp
3056	coinbase.tmp
2824	regsvr32.exe
2836	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coinbase.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2972	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	coinbase.tmp
3056	coinbase.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3056	coinbase.tmp

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 2488 wrote to memory of 1692	2488	coinbase.exe	30
PID 1692 wrote to memory of 2984	1692	coinbase.tmp	31
PID 1692 wrote to memory of 2984	1692	coinbase.tmp	31
PID 1692 wrote to memory of 2984	1692	coinbase.tmp	31
PID 1692 wrote to memory of 2984	1692	coinbase.tmp	31
PID 2984 wrote to memory of 2972	2984	cmd.exe	33
PID 2984 wrote to memory of 2972	2984	cmd.exe	33
PID 2984 wrote to memory of 2972	2984	cmd.exe	33
PID 2984 wrote to memory of 2972	2984	cmd.exe	33
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 2984 wrote to memory of 3020	2984	cmd.exe	34
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3020 wrote to memory of 3056	3020	coinbase.exe	35
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 3056 wrote to memory of 2824	3056	coinbase.tmp	36
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37
PID 2824 wrote to memory of 2836	2824	regsvr32.exe	37

C:\Users\Admin\AppData\Local\Temp\coinbase.exe
"C:\Users\Admin\AppData\Local\Temp\coinbase.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\is-H21O5.tmp\coinbase.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H21O5.tmp\coinbase.tmp" /SL5="$30156,770488,161792,C:\Users\Admin\AppData\Local\Temp\coinbase.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\coinbase.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\coinbase.exe
      "C:\Users\Admin\AppData\Local\Temp\coinbase.exe" /VERYSILENT /SUPPRESSMSGBOXES
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\is-Q269R.tmp\coinbase.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q269R.tmp\coinbase.tmp" /SL5="$30174,770488,161792,C:\Users\Admin\AppData\Local\Temp\coinbase.exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\2crypt32.drv"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\2crypt32.drv"
        7⤵
        Loads dropped DLL
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2crypt32.drv

Filesize
1.4MB

MD5
221be8861ed61d34671e8960677f4bcd

SHA1
cc56c6ed1452545ded9330996e7458b0aedfb2b5

SHA256
a4766645820a4f2bb25ef320eafabed7da544be1403eb9290227e751123cb14f

SHA512
45c7a7fe74e868b6689b6b1f1a750f2ddabdd1bff37637fcc6aac848a35d01820e820c4271e6f98fcb0a7096f27cadb020cb2ad72c1842add626986d6cc08fda

Download Submit
\Users\Admin\AppData\Local\Temp\is-H21O5.tmp\coinbase.tmp

Filesize
1.1MB

MD5
bcc236a3921e1388596a42b05686ff5e

SHA1
43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

SHA256
43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

SHA512
e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

Download Submit
\Users\Admin\AppData\Local\Temp\is-JS7AM.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-JS7AM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1692-8-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1692-46-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2488-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2488-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2488-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3020-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3020-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3056-43-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download