Overview

overview

10

Static

static

2020-05-22...in.exe

windows7_x64

10

2020-05-22...in.exe

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2020-05-22_17-36-19.bin.zip

  • Size

    336KB

  • Sample

    200523-7jzphjnans

  • MD5

    716d6bd7f488a55587f1f0e847ade668

  • SHA1

    ca65304ffb493f9157cad18b37c81424d1ee9648

  • SHA256

    c41d1ff004b7e49d601b10e11e3591a99da6c95dcc1272fdcbeb8663e502e83b

  • SHA512

    a592ba535915342eace4d4f08d7df486ff7ce0502babc37c66e562e3fd7de2874d38ca60248686f9e70289963d39e9b8ef58f8f398a6d305e59b28a96d05f5e9

Score
10/10
evasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_LOCK.TXT

Ransom Note
############################################################# ################# YOUR FILES WERE ENCRYPTED ################# ############ AND MARKED BY EXTENSION .corona-lock ########### ############################################################# -- DON'T WORRY! YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES WE STRONGLY RECOMMEND you NOT to use any Decryption Tools. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- To get RSA private key you have to contact us via email to: ---------------------------->> support@covidworldcry.com << and send us your id: >> 1598982272 << -- HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! -- ############################################################# ################## LIST OF ENCRYPTED FILES ################## ------------------------------------------------------------- C:\vcredist2010_x64.log-MSI_vc_red.msi.txt 372682 C:\vcredist2010_x64.log.html 88914 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169690 C:\Program Files\Mozilla Firefox\precomplete 2865 C:\Program Files\Mozilla Firefox\removed-files 16 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197548 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171954 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 193090 C:\Users\Admin\deployment.properties 1646 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0 C:\Users\Default\NTUSER.DAT.LOG 1024 C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120802 C:\Users\Default\NTUSER.DAT.LOG1 189440 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536 C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131680 C:\Recovery\44e79742-8b20-11ea-a722-f2e765a3a928\boot.sdi 3170304 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Program Files\Java\jre7\COPYRIGHT 3409 C:\Program Files\Java\jre7\LICENSE 41 C:\Program Files\Java\jre7\release 507 C:\Program Files (x86)\Common Files\Adobe AIR\sentinel 11 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Users\Admin\Contacts\Admin.contact 68374 C:\Users\Public\Libraries\RecordedTV.library-ms 876 C:\Users\Admin\Desktop\BackupComplete.rar 771573 C:\Users\Admin\Desktop\DebugComplete.wpl 483868 C:\Users\Admin\Desktop\DismountTest.001 1072326 C:\Users\Admin\Desktop\FormatDeny.dib 274628 C:\Users\Admin\Desktop\ImportApprove.odt 405403 C:\Users\Admin\Desktop\InvokeCopy.ocx 562333 C:\Users\Admin\Music\CompareOut.DVR-MS 837460 C:\Users\Admin\Desktop\LockStart.aiff 719263 C:\Users\Admin\Music\ComparePush.vst 657084 C:\Users\Admin\Music\CompressPush.crw 296332 C:\Users\Admin\Desktop\MeasureMount.dotm 510023 C:\Users\Admin\Desktop\MoveConvertFrom.mpv2 379248 C:\Users\Admin\Music\ConfirmOpen.MOD 708620 C:\Users\Admin\Music\CopySend.mht 605548 C:\Users\Admin\Desktop\ProtectStep.crw 457713 C:\Users\Admin\Downloads\AssertUse.ADT 595470 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Documents\CheckpointUnpublish.vsw 2166705 C:\Users\Admin\Documents\ClearWatch.vstx 1011129 C:\Users\Admin\Desktop\ReceiveResize.shtml 745418 C:\Users\Admin\Desktop\RemoveApprove.shtml 353093 C:\Users\Admin\Music\DenyRestart.MTS 760156 C:\Users\Admin\Desktop\RemoveUndo.ex_ 431558 C:\Users\Admin\Desktop\RevokeUnlock.bat 300783 C:\Users\Admin\Music\DismountReset.rtf 528244 C:\Users\Admin\Desktop\SearchDebug.php 666953 C:\Users\Admin\Desktop\SearchSuspend.lock 614643 C:\Users\Admin\Downloads\CheckpointRestart.mp2 297735 C:\Users\Admin\Downloads\CompleteResolve.xps 504855 C:\Users\Admin\Desktop\StepOut.pps 693108 C:\Users\Admin\Downloads\CompleteRestore.asx 543690 C:\Users\Admin\Downloads\CompressUnblock.wmv 271845 C:\Users\Admin\Downloads\CopySelect.wpl 440130 C:\Users\Admin\Pictures\ApproveExpand.emz 606800 C:\Users\Admin\Downloads\DebugMount.mhtml 336570 C:\Users\Admin\Music\EnableSubmit.avi 682852 C:\Users\Admin\Music\ImportSkip.vdx 399404 C:\Users\Admin\Music\PingWrite.mp3 450940 C:\Users\Admin\Music\ProtectCompare.mhtml 322100 C:\Users\Admin\Music\ReadResize.crw 554012 C:\Users\Admin\Downloads\DebugSend.wpl 284790 C:\Users\Admin\Downloads\DisableBlock.bmp 414240 C:\Users\Admin\Downloads\ExitDismount.mpg 569580 C:\Users\Admin\Downloads\ExitPush.eps 245955 C:\Users\Admin\Documents\DisableLimit.odt 1588917 C:\Users\Admin\Desktop\StopWatch.cfg 536178 C:\Users\Admin\Music\ReceiveFind.asx 785924 C:\Users\Admin\Music\RegisterSend.tif 373636 C:\Users\Admin\Desktop\UninstallSwitch.pptm 640798 C:\Users\Admin\Music\RepairConvertTo.nfo 734388 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Music\RepairNew.shtml 425172 C:\Users\Admin\Music\RestartResize.dotx 579780 C:\Users\Admin\Downloads\ExportInvoke.avi 466020 C:\Users\Admin\Downloads\FindSync.rle 310680 C:\Users\Admin\Documents\MeasureStep.html 1733364 C:\Users\Admin\Desktop\WriteResize.m3u 588488 C:\Users\Admin\Pictures\ConvertFromStop.svg 546120 C:\Users\Admin\Pictures\ConvertRepair.svgz 631072 C:\Users\Admin\Music\SelectInvoke.ogg 1159776 C:\Users\Admin\Music\SplitSelect.i64 811692 C:\Users\Admin\Music\TestSend.mht 476708 C:\Users\Admin\Downloads\FormatUndo.jpeg 427185 C:\Users\Admin\Downloads\HideGet.scf 608415 C:\Users\Admin\Downloads\ImportReset.otf 530745 C:\Users\Admin\Downloads\InstallOptimize.svg 349515 C:\Users\Admin\Downloads\MountSync.svgz 647250 C:\Users\Admin\Downloads\OptimizeConfirm.wpl 673140 C:\Users\Admin\Documents\MountSwitch.vsw 2022258 C:\Users\Admin\Music\UseUnblock.au3 347868 C:\Users\Admin\Music\WaitCopy.reg 631316 C:\Users\Admin\Downloads\ProtectCompare.csv 582525 C:\Users\Admin\Downloads\PushGet.iso 362460 C:\Users\Admin\Downloads\ReadDismount.xla 491910 C:\Users\Admin\Downloads\ReceiveEnable.reg 258900 C:\Users\Admin\Pictures\ConvertToFormat.emz 521848 C:\Users\Admin\Downloads\RegisterDeny.snd 621360 C:\Users\Admin\Pictures\CopyGroup.crw 254856 C:\Users\Admin\Downloads\ResizePush.mp4 453075 C:\Users\Admin\Pictures\DebugConnect.tiff 618936 C:\Users\Admin\Pictures\DismountSave.jpeg 533984 C:\Users\Admin\Downloads\ResumeUse.ps1 919591 C:\Users\Admin\Pictures\EnterAdd.tif 291264 C:\Users\Admin\Downloads\SelectDisconnect.wpl 478965 C:\Users\Admin\Pictures\ExitFind.emf 364080 C:\Users\Admin\Downloads\SendUndo.fon 401295 C:\Users\Admin\Downloads\ShowUpdate.3gpp 660195 C:\Users\Admin\Downloads\TraceRedo.potx 233010 C:\Users\Admin\Downloads\UndoSkip.emz 517800 C:\Users\Admin\Downloads\UnregisterRepair.odt 323625 C:\Users\Admin\Downloads\UnregisterUnpublish.html 388350 C:\Users\Admin\Downloads\WaitUse.DVR 375405 C:\Users\Admin\Documents\NewSubmit.odt 2311152 C:\Users\Admin\Downloads\WatchOut.au3 634305 C:\Users\Admin\Pictures\FindDisconnect.raw 558256 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Pictures\FindSelect.svgz 400488 C:\Users\Admin\Pictures\FindSelect.tif 303400 C:\Users\Admin\Pictures\FormatConvert.tif 862040 C:\Users\Admin\Pictures\FormatOpen.jpg 242720 C:\Users\Admin\Pictures\GrantInvoke.gif 424760 C:\Users\Admin\Documents\ReadConvertTo.xla 2744493 C:\Users\Admin\Pictures\GrantUnprotect.tif 327672 C:\Users\Admin\Pictures\HideSync.gif 266992 C:\Users\Admin\Pictures\InitializeSearch.bmp 388352 C:\Users\Admin\Pictures\InstallUpdate.cr2 315536 C:\Users\Admin\Pictures\LimitClear.svg 485440 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Documents\RenameResize.pps 1155576 C:\Users\Admin\Pictures\LockReset.crw 449032 C:\Users\Admin\Pictures\NewResize.crw 582528 C:\Users\Admin\Pictures\PublishWatch.dib 594664 C:\Users\Admin\Pictures\PushFormat.ico 570392 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Pictures\PushWrite.gif 351944 C:\Users\Admin\Pictures\RenameInitialize.dxf 461168 C:\Users\Admin\Documents\RepairUninstall.xml 1444470 C:\Users\Admin\Pictures\RequestPop.crw 376216 C:\Users\Admin\Pictures\ResizeUnpublish.ico 279128 C:\Users\Admin\Pictures\ResolveEnable.svgz 230584 C:\Users\Admin\Pictures\RestartSuspend.svgz 509712 C:\Users\Admin\Pictures\SelectUnpublish.emz 473304 C:\Users\Admin\Pictures\SendProtect.png 218448 C:\Users\Admin\Pictures\SplitMount.bmp 412624 C:\Users\Admin\Pictures\WaitRequest.emz 339808 C:\Users\Admin\Pictures\WatchRename.wmf 436896 C:\Users\Admin\Documents\ResizeFind.vsdx 3900009 C:\Users\Admin\Pictures\WatchUninstall.svgz 497576 C:\Users\Admin\Documents\RestartSearch.pub 1877811 C:\Recovery\44e79742-8b20-11ea-a722-f2e765a3a928\Winre.wim 169213970 C:\Users\Admin\Documents\StartUnblock.xml 2455599 C:\Users\Admin\Documents\SuspendMeasure.mhtml 2600046 C:\Users\Admin\Documents\SwitchMove.html 1300023 C:\Users\Admin\Documents\These.docx 11462 C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml 2424 C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi 2503680 C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml 1450 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi 1992192 C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi 2513920 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml 4274 C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml 1450 C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab 16972987 C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab 9958388 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab 36233052 C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml 1608 C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi 2506240 C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml 1565 C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml 2296 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms 715834 C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi 873984 C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml 1383 C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi 868864 C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml 811 C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab 14819276 C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml 5884 C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi 2865664 C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml 3186 C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml 4207 C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab 2928955 C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml 2362 C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab 43806141 C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi 2503680 C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml 1606 C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab 4095519 C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi 2522624 C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml 1800 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPlusWW.msi 27195904 C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi 2507776 C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml 913 C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml 1452 C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPlusWW.xml 16850 C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi 868864 C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml 819 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml 596341 C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml 2624 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest 1857 C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab 17456632 C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml 1988 C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab 18874884 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab 14127746 C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi 3124224 C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml 1231 C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml 1852 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi 3702272 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml 5557 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi 868864 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml 819 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm 27195 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm 67190 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml 9352 C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST 3584
Emails

support@covidworldcry.com

Targets

    • Target

      2020-05-22_17-36-19.bin

    • Size

      448KB

    • MD5

      412568f078ec521bdba6ae14b9f36823

    • SHA1

      3e5a80fe286834f6d5f0aaf014a420ec40ebad7d

    • SHA256

      e2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4

    • SHA512

      9e979c3873778991bfd05b22370fbab32f7ec16dd78b8c3f2b0f54ccfd26fcdfc84f881bdf4414d24228ad2a19ef00ecb062dd5e9e2e243966f1276698f1ff85

    Score
    10/10
    ransomwarepersistencespywareevasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run entry to start application

      persistence

    • Drops Chrome extension

    • Enumerates connected drives

    • Modifies system certificate store

      evasionspywaretrojan

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks