Overview

overview

10

Static

static

Covid-19 v...es.exe

windows7_x64

10

Covid-19 v...es.exe

windows10_x64

6

Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    02-04-2020 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Covid-19 vaccines samples.exe

  • Size

    108KB

  • MD5

    46ed637f1480905b94113f87211cbd38

  • SHA1

    6ac546722e341654d3ddabbeab0e20de77296fe0

  • SHA256

    52bca6a14b850bcd73ab0dd52a8f5be9e00ccb9ca7743a42bb44f236dc4d5a45

  • SHA512

    70a4170b251c5eba6fb3f549f9f476fe1f01aadae2bdff211f208664ca8fa72697d1f87fd880e8c3dc8c13214ee2e71c4cf0c30f03962277e0051cbc442d929e

Score
6/10
evasionspywaretrojan

Malware Config

Signatures

  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe
      "C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      PID:4040
      • C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe
        "C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"
        3⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies system certificate store
        PID:3988
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Covid-19 vaccines samples.exe"
        3⤵
          PID:4064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3080-2-0x0000000001070000-0x0000000001097000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3080-3-0x0000000001070000-0x0000000001097000-memory.dmp
      Filesize

      156KB

      Download