Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
02-04-2020 16:03
Static task
static1
Behavioral task
behavioral1
Sample
Covid-19 vaccines samples.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
General
-
Target
Covid-19 vaccines samples.exe
-
Size
108KB
-
MD5
46ed637f1480905b94113f87211cbd38
-
SHA1
6ac546722e341654d3ddabbeab0e20de77296fe0
-
SHA256
52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45
-
SHA512
70a4170b251c5eba6fb3f549f9f476fe1f01aadae2bdff211f208664ca8fa72697d1f87fd880e8c3dc8c13214ee2e71c4cf0c30f03962277e0051cbc442d929e
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Covid-19 vaccines samples.exeCovid-19 vaccines samples.exewscript.exepid process 4040 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3080 wscript.exe 3080 wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Covid-19 vaccines samples.exeCovid-19 vaccines samples.exewscript.exedescription pid process target process PID 4040 set thread context of 3988 4040 Covid-19 vaccines samples.exe Covid-19 vaccines samples.exe PID 3988 set thread context of 2876 3988 Covid-19 vaccines samples.exe Explorer.EXE PID 3080 set thread context of 2876 3080 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Covid-19 vaccines samples.exewscript.exepid process 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe 3080 wscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Covid-19 vaccines samples.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 3988 Covid-19 vaccines samples.exe Token: SeShutdownPrivilege 2876 Explorer.EXE Token: SeCreatePagefilePrivilege 2876 Explorer.EXE Token: SeDebugPrivilege 3080 wscript.exe Token: SeShutdownPrivilege 2876 Explorer.EXE Token: SeCreatePagefilePrivilege 2876 Explorer.EXE Token: SeShutdownPrivilege 2876 Explorer.EXE Token: SeCreatePagefilePrivilege 2876 Explorer.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Covid-19 vaccines samples.exeCovid-19 vaccines samples.exepid process 4040 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe 3988 Covid-19 vaccines samples.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Covid-19 vaccines samples.exeExplorer.EXEwscript.exedescription pid process target process PID 4040 wrote to memory of 3988 4040 Covid-19 vaccines samples.exe Covid-19 vaccines samples.exe PID 4040 wrote to memory of 3988 4040 Covid-19 vaccines samples.exe Covid-19 vaccines samples.exe PID 4040 wrote to memory of 3988 4040 Covid-19 vaccines samples.exe Covid-19 vaccines samples.exe PID 4040 wrote to memory of 3988 4040 Covid-19 vaccines samples.exe Covid-19 vaccines samples.exe PID 2876 wrote to memory of 3080 2876 Explorer.EXE wscript.exe PID 2876 wrote to memory of 3080 2876 Explorer.EXE wscript.exe PID 2876 wrote to memory of 3080 2876 Explorer.EXE wscript.exe PID 3080 wrote to memory of 4064 3080 wscript.exe cmd.exe PID 3080 wrote to memory of 4064 3080 wscript.exe cmd.exe PID 3080 wrote to memory of 4064 3080 wscript.exe cmd.exe -
Processes:
Covid-19 vaccines samples.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Covid-19 vaccines samples.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 5c000000010000000400000000080000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e Covid-19 vaccines samples.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Covid-19 vaccines samples.exepid process 4040 Covid-19 vaccines samples.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"3⤵