Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-12-2020 02:51
Static task
static1
Behavioral task
behavioral1
Sample
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Resource
win10v20201028
General
-
Target
CDC GUIDES COVID-19 Second Outbreak Warning release.exe
-
Size
630KB
-
MD5
dc8d9c9a86fe4830053697c1dc59dc6f
-
SHA1
a63fa3cc878efe75ecf849111c3e3d417fef4fdd
-
SHA256
5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
-
SHA512
8f91aca4b85d53745f395888ffb8e2d5f17f06afc7e302f2ed19c840377c70ef807ba14748fefd2a756b27b54808651087fbcba572f0d162b06c8a0e9283ef8c
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process target process PID 4764 set thread context of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exeCDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process Token: SeDebugPrivilege 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe Token: SeDebugPrivilege 648 CDC GUIDES COVID-19 Second Outbreak Warning release.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CDC GUIDES COVID-19 Second Outbreak Warning release.exedescription pid process target process PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe PID 4764 wrote to memory of 648 4764 CDC GUIDES COVID-19 Second Outbreak Warning release.exe CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CDC GUIDES COVID-19 Second Outbreak Warning release.exe.logMD5
c5016515c6ff7988db3db0761d3916ef
SHA1a0b03e89fca731257cfee8563e085838fadcd1f1
SHA2564525469179c5b3357e439a11b0cbefdfa93b755e9caeae932759416d14f57e46
SHA5121efb13a6272ae7c763e7670e11ea3a3955c88e66d3ca807bf4ac734014492a13a63646b03abd675aa68e0b1228a5b518e5544478ea90aa9842e6d8b925b38807
-
memory/648-12-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/648-15-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/648-20-0x0000000006710000-0x0000000006711000-memory.dmpFilesize
4KB
-
memory/648-19-0x0000000006550000-0x0000000006551000-memory.dmpFilesize
4KB
-
memory/648-18-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/648-9-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/648-10-0x00000000004581DE-mapping.dmp
-
memory/648-16-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/4764-8-0x0000000005930000-0x0000000005946000-memory.dmpFilesize
88KB
-
memory/4764-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4764-3-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/4764-5-0x0000000005750000-0x000000000581F000-memory.dmpFilesize
828KB
-
memory/4764-7-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/4764-6-0x0000000005820000-0x0000000005887000-memory.dmpFilesize
412KB