a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd

Analysis

max time kernel
31s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
15/01/2021, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

covid21.exe
Size

2.0MB
MD5

1a2e2d295e04f74437652dc9b8a2d03c
SHA1

e3565983ee402856c2cf4eec2ac6ff9636443fe9
SHA256

a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd
SHA512

7d5130ad41c4903aa66fc00b22bc3799ade4b6c3bb82db9aead43158aa03165159b59f8c16d8cf68fb297e69e6a13acc9708669d5916fe52b9254330c1f14df2

Score

8^/10

aspackv2 ransomware

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130e9-20.dat	aspack_v212_v242
behavioral1/files/0x00030000000130e9-21.dat	aspack_v212_v242
behavioral1/files/0x00030000000130e9-22.dat	aspack_v212_v242
behavioral1/files/0x00030000000130e9-24.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
1236	CLWCP.exe
844	PayloadGDI.exe
1480	screenscrew.exe

Loads dropped DLL 6 IoCs

pid	Process
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "c:\\covid21\\covid.bmp"	CLWCP.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1076	schtasks.exe

Delays execution with timeout.exe 15 IoCs

evasion

pid	Process
368	timeout.exe
240	timeout.exe
956	timeout.exe
1644	timeout.exe
576	timeout.exe
1468	timeout.exe
344	timeout.exe
2020	timeout.exe
316	timeout.exe
1156	timeout.exe
1880	timeout.exe
1772	timeout.exe
1136	timeout.exe
1900	timeout.exe
1608	timeout.exe

Suspicious use of WriteProcessMemory 120 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1184	2024	covid21.exe	26
PID 2024 wrote to memory of 1184	2024	covid21.exe	26
PID 2024 wrote to memory of 1184	2024	covid21.exe	26
PID 2024 wrote to memory of 1184	2024	covid21.exe	26
PID 1184 wrote to memory of 1236	1184	cmd.exe	28
PID 1184 wrote to memory of 1236	1184	cmd.exe	28
PID 1184 wrote to memory of 1236	1184	cmd.exe	28
PID 1184 wrote to memory of 1236	1184	cmd.exe	28
PID 1184 wrote to memory of 2016	1184	cmd.exe	32
PID 1184 wrote to memory of 2016	1184	cmd.exe	32
PID 1184 wrote to memory of 2016	1184	cmd.exe	32
PID 1184 wrote to memory of 2016	1184	cmd.exe	32
PID 1184 wrote to memory of 2020	1184	cmd.exe	33
PID 1184 wrote to memory of 2020	1184	cmd.exe	33
PID 1184 wrote to memory of 2020	1184	cmd.exe	33
PID 1184 wrote to memory of 2020	1184	cmd.exe	33
PID 1184 wrote to memory of 844	1184	cmd.exe	34
PID 1184 wrote to memory of 844	1184	cmd.exe	34
PID 1184 wrote to memory of 844	1184	cmd.exe	34
PID 1184 wrote to memory of 844	1184	cmd.exe	34
PID 1184 wrote to memory of 368	1184	cmd.exe	35
PID 1184 wrote to memory of 368	1184	cmd.exe	35
PID 1184 wrote to memory of 368	1184	cmd.exe	35
PID 1184 wrote to memory of 368	1184	cmd.exe	35
PID 1184 wrote to memory of 1480	1184	cmd.exe	36
PID 1184 wrote to memory of 1480	1184	cmd.exe	36
PID 1184 wrote to memory of 1480	1184	cmd.exe	36
PID 1184 wrote to memory of 1480	1184	cmd.exe	36
PID 1184 wrote to memory of 240	1184	cmd.exe	37
PID 1184 wrote to memory of 240	1184	cmd.exe	37
PID 1184 wrote to memory of 240	1184	cmd.exe	37
PID 1184 wrote to memory of 240	1184	cmd.exe	37
PID 1184 wrote to memory of 1404	1184	cmd.exe	38
PID 1184 wrote to memory of 1404	1184	cmd.exe	38
PID 1184 wrote to memory of 1404	1184	cmd.exe	38
PID 1184 wrote to memory of 1404	1184	cmd.exe	38
PID 1184 wrote to memory of 956	1184	cmd.exe	39
PID 1184 wrote to memory of 956	1184	cmd.exe	39
PID 1184 wrote to memory of 956	1184	cmd.exe	39
PID 1184 wrote to memory of 956	1184	cmd.exe	39
PID 1184 wrote to memory of 852	1184	cmd.exe	40
PID 1184 wrote to memory of 852	1184	cmd.exe	40
PID 1184 wrote to memory of 852	1184	cmd.exe	40
PID 1184 wrote to memory of 852	1184	cmd.exe	40
PID 1184 wrote to memory of 1644	1184	cmd.exe	41
PID 1184 wrote to memory of 1644	1184	cmd.exe	41
PID 1184 wrote to memory of 1644	1184	cmd.exe	41
PID 1184 wrote to memory of 1644	1184	cmd.exe	41
PID 1184 wrote to memory of 572	1184	cmd.exe	42
PID 1184 wrote to memory of 572	1184	cmd.exe	42
PID 1184 wrote to memory of 572	1184	cmd.exe	42
PID 1184 wrote to memory of 572	1184	cmd.exe	42
PID 1184 wrote to memory of 1900	1184	cmd.exe	43
PID 1184 wrote to memory of 1900	1184	cmd.exe	43
PID 1184 wrote to memory of 1900	1184	cmd.exe	43
PID 1184 wrote to memory of 1900	1184	cmd.exe	43
PID 1184 wrote to memory of 1980	1184	cmd.exe	44
PID 1184 wrote to memory of 1980	1184	cmd.exe	44
PID 1184 wrote to memory of 1980	1184	cmd.exe	44
PID 1184 wrote to memory of 1980	1184	cmd.exe	44
PID 1184 wrote to memory of 1880	1184	cmd.exe	45
PID 1184 wrote to memory of 1880	1184	cmd.exe	45
PID 1184 wrote to memory of 1880	1184	cmd.exe	45
PID 1184 wrote to memory of 1880	1184	cmd.exe	45
PID 1184 wrote to memory of 1732	1184	cmd.exe	46
PID 1184 wrote to memory of 1732	1184	cmd.exe	46
PID 1184 wrote to memory of 1732	1184	cmd.exe	46
PID 1184 wrote to memory of 1732	1184	cmd.exe	46
PID 1184 wrote to memory of 1772	1184	cmd.exe	47
PID 1184 wrote to memory of 1772	1184	cmd.exe	47
PID 1184 wrote to memory of 1772	1184	cmd.exe	47
PID 1184 wrote to memory of 1772	1184	cmd.exe	47
PID 1184 wrote to memory of 408	1184	cmd.exe	48
PID 1184 wrote to memory of 408	1184	cmd.exe	48
PID 1184 wrote to memory of 408	1184	cmd.exe	48
PID 1184 wrote to memory of 408	1184	cmd.exe	48
PID 1184 wrote to memory of 576	1184	cmd.exe	49
PID 1184 wrote to memory of 576	1184	cmd.exe	49
PID 1184 wrote to memory of 576	1184	cmd.exe	49
PID 1184 wrote to memory of 576	1184	cmd.exe	49
PID 1184 wrote to memory of 1552	1184	cmd.exe	50
PID 1184 wrote to memory of 1552	1184	cmd.exe	50
PID 1184 wrote to memory of 1552	1184	cmd.exe	50
PID 1184 wrote to memory of 1552	1184	cmd.exe	50
PID 1184 wrote to memory of 316	1184	cmd.exe	51
PID 1184 wrote to memory of 316	1184	cmd.exe	51
PID 1184 wrote to memory of 316	1184	cmd.exe	51
PID 1184 wrote to memory of 316	1184	cmd.exe	51
PID 1184 wrote to memory of 1544	1184	cmd.exe	52
PID 1184 wrote to memory of 1544	1184	cmd.exe	52
PID 1184 wrote to memory of 1544	1184	cmd.exe	52
PID 1184 wrote to memory of 1544	1184	cmd.exe	52
PID 1184 wrote to memory of 1468	1184	cmd.exe	53
PID 1184 wrote to memory of 1468	1184	cmd.exe	53
PID 1184 wrote to memory of 1468	1184	cmd.exe	53
PID 1184 wrote to memory of 1468	1184	cmd.exe	53
PID 1184 wrote to memory of 272	1184	cmd.exe	54
PID 1184 wrote to memory of 272	1184	cmd.exe	54
PID 1184 wrote to memory of 272	1184	cmd.exe	54
PID 1184 wrote to memory of 272	1184	cmd.exe	54
PID 1184 wrote to memory of 1156	1184	cmd.exe	55
PID 1184 wrote to memory of 1156	1184	cmd.exe	55
PID 1184 wrote to memory of 1156	1184	cmd.exe	55
PID 1184 wrote to memory of 1156	1184	cmd.exe	55
PID 1184 wrote to memory of 1900	1184	cmd.exe	56
PID 1184 wrote to memory of 1900	1184	cmd.exe	56
PID 1184 wrote to memory of 1900	1184	cmd.exe	56
PID 1184 wrote to memory of 1900	1184	cmd.exe	56
PID 1184 wrote to memory of 1608	1184	cmd.exe	57
PID 1184 wrote to memory of 1608	1184	cmd.exe	57
PID 1184 wrote to memory of 1608	1184	cmd.exe	57
PID 1184 wrote to memory of 1608	1184	cmd.exe	57
PID 1184 wrote to memory of 1772	1184	cmd.exe	58
PID 1184 wrote to memory of 1772	1184	cmd.exe	58
PID 1184 wrote to memory of 1772	1184	cmd.exe	58
PID 1184 wrote to memory of 1772	1184	cmd.exe	58
PID 1184 wrote to memory of 1136	1184	cmd.exe	59
PID 1184 wrote to memory of 1136	1184	cmd.exe	59
PID 1184 wrote to memory of 1136	1184	cmd.exe	59
PID 1184 wrote to memory of 1136	1184	cmd.exe	59

C:\Users\Admin\AppData\Local\Temp\covid21.exe
"C:\Users\Admin\AppData\Local\Temp\covid21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
    clwcp c:\covid21\covid.bmp
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:1236
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid.vbs"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
    PayloadGDI.exe
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:368
- - C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:1480
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:572
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.vbs"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\timeout.exe
    timeout /3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
    PayloadMBR.exe
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe"
      4⤵
      Creates scheduled task(s)
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads