Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 02:51
Static task
static1
Behavioral task
behavioral1
Sample
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Resource
win10v20201028
General
-
Target
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
-
Size
630KB
-
MD5
dc8d9c9a86fe4830053697c1dc59dc6f
-
SHA1
a63fa3cc878efe75ecf849111c3e3d417fef4fdd
-
SHA256
5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
-
SHA512
8f91aca4b85d53745f395888ffb8e2d5f17f06afc7e302f2ed19c840377c70ef807ba14748fefd2a756b27b54808651087fbcba572f0d162b06c8a0e9283ef8c
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process target process PID 1744 set thread context of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exeCDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process Token: SeDebugPrivilege 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe Token: SeDebugPrivilege 1464 CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process target process PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 1744 wrote to memory of 1464 1744 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1464-8-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1464-9-0x00000000004581DE-mapping.dmp
-
memory/1464-11-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1464-10-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1464-12-0x0000000073F40000-0x000000007462E000-memory.dmpFilesize
6.9MB
-
memory/1744-2-0x0000000073F40000-0x000000007462E000-memory.dmpFilesize
6.9MB
-
memory/1744-3-0x0000000001300000-0x0000000001301000-memory.dmpFilesize
4KB
-
memory/1744-5-0x00000000011E0000-0x00000000012AF000-memory.dmpFilesize
828KB
-
memory/1744-6-0x0000000000B00000-0x0000000000B67000-memory.dmpFilesize
412KB
-
memory/1744-7-0x0000000000440000-0x0000000000456000-memory.dmpFilesize
88KB