a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd

Analysis

max time kernel
147s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
15/01/2021, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

covid21.exe
Size

2.0MB
MD5

1a2e2d295e04f74437652dc9b8a2d03c
SHA1

e3565983ee402856c2cf4eec2ac6ff9636443fe9
SHA256

a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd
SHA512

7d5130ad41c4903aa66fc00b22bc3799ade4b6c3bb82db9aead43158aa03165159b59f8c16d8cf68fb297e69e6a13acc9708669d5916fe52b9254330c1f14df2

Score

8^/10

aspackv2 bootkit persistence ransomware

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab75-18.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab75-17.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
856	CLWCP.exe
744	PayloadGDI.exe
3316	screenscrew.exe
2428	PayloadMBR.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	PayloadMBR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99B5.tmp\\PayloadMBR.exe"	PayloadMBR.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PayloadMBR.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\Wallpaper = "c:\\covid21\\covid.bmp"	CLWCP.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3828	2428	WerFault.exe	113

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1480	schtasks.exe

Delays execution with timeout.exe 15 IoCs

evasion

pid	Process
3676	timeout.exe
4036	timeout.exe
2764	timeout.exe
1352	timeout.exe
636	timeout.exe
1240	timeout.exe
2328	timeout.exe
3176	timeout.exe
1984	timeout.exe
3696	timeout.exe
2192	timeout.exe
1064	timeout.exe
988	timeout.exe
3520	timeout.exe
2272	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2428	PayloadMBR.exe
2428	PayloadMBR.exe
2428	PayloadMBR.exe
2428	PayloadMBR.exe
2428	PayloadMBR.exe
2428	PayloadMBR.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe
3828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	PayloadMBR.exe
Token: SeShutdownPrivilege	3828	WerFault.exe
Token: SeRestorePrivilege	3828	WerFault.exe
Token: SeBackupPrivilege	3828	WerFault.exe
Token: SeDebugPrivilege	3828	WerFault.exe

Suspicious use of WriteProcessMemory 102 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3228	880	covid21.exe	76
PID 880 wrote to memory of 3228	880	covid21.exe	76
PID 880 wrote to memory of 3228	880	covid21.exe	76
PID 3228 wrote to memory of 856	3228	cmd.exe	79
PID 3228 wrote to memory of 856	3228	cmd.exe	79
PID 3228 wrote to memory of 856	3228	cmd.exe	79
PID 3228 wrote to memory of 1328	3228	cmd.exe	82
PID 3228 wrote to memory of 1328	3228	cmd.exe	82
PID 3228 wrote to memory of 1328	3228	cmd.exe	82
PID 3228 wrote to memory of 636	3228	cmd.exe	83
PID 3228 wrote to memory of 636	3228	cmd.exe	83
PID 3228 wrote to memory of 636	3228	cmd.exe	83
PID 3228 wrote to memory of 744	3228	cmd.exe	84
PID 3228 wrote to memory of 744	3228	cmd.exe	84
PID 3228 wrote to memory of 744	3228	cmd.exe	84
PID 3228 wrote to memory of 3696	3228	cmd.exe	85
PID 3228 wrote to memory of 3696	3228	cmd.exe	85
PID 3228 wrote to memory of 3696	3228	cmd.exe	85
PID 3228 wrote to memory of 3316	3228	cmd.exe	87
PID 3228 wrote to memory of 3316	3228	cmd.exe	87
PID 3228 wrote to memory of 3316	3228	cmd.exe	87
PID 3228 wrote to memory of 3676	3228	cmd.exe	88
PID 3228 wrote to memory of 3676	3228	cmd.exe	88
PID 3228 wrote to memory of 3676	3228	cmd.exe	88
PID 3228 wrote to memory of 2244	3228	cmd.exe	89
PID 3228 wrote to memory of 2244	3228	cmd.exe	89
PID 3228 wrote to memory of 2244	3228	cmd.exe	89
PID 3228 wrote to memory of 1240	3228	cmd.exe	90
PID 3228 wrote to memory of 1240	3228	cmd.exe	90
PID 3228 wrote to memory of 1240	3228	cmd.exe	90
PID 3228 wrote to memory of 3924	3228	cmd.exe	91
PID 3228 wrote to memory of 3924	3228	cmd.exe	91
PID 3228 wrote to memory of 3924	3228	cmd.exe	91
PID 3228 wrote to memory of 2328	3228	cmd.exe	92
PID 3228 wrote to memory of 2328	3228	cmd.exe	92
PID 3228 wrote to memory of 2328	3228	cmd.exe	92
PID 3228 wrote to memory of 3596	3228	cmd.exe	93
PID 3228 wrote to memory of 3596	3228	cmd.exe	93
PID 3228 wrote to memory of 3596	3228	cmd.exe	93
PID 3228 wrote to memory of 3176	3228	cmd.exe	94
PID 3228 wrote to memory of 3176	3228	cmd.exe	94
PID 3228 wrote to memory of 3176	3228	cmd.exe	94
PID 3228 wrote to memory of 3356	3228	cmd.exe	95
PID 3228 wrote to memory of 3356	3228	cmd.exe	95
PID 3228 wrote to memory of 3356	3228	cmd.exe	95
PID 3228 wrote to memory of 2764	3228	cmd.exe	96
PID 3228 wrote to memory of 2764	3228	cmd.exe	96
PID 3228 wrote to memory of 2764	3228	cmd.exe	96
PID 3228 wrote to memory of 3292	3228	cmd.exe	97
PID 3228 wrote to memory of 3292	3228	cmd.exe	97
PID 3228 wrote to memory of 3292	3228	cmd.exe	97
PID 3228 wrote to memory of 4036	3228	cmd.exe	98
PID 3228 wrote to memory of 4036	3228	cmd.exe	98
PID 3228 wrote to memory of 4036	3228	cmd.exe	98
PID 3228 wrote to memory of 1772	3228	cmd.exe	99
PID 3228 wrote to memory of 1772	3228	cmd.exe	99
PID 3228 wrote to memory of 1772	3228	cmd.exe	99
PID 3228 wrote to memory of 3520	3228	cmd.exe	100
PID 3228 wrote to memory of 3520	3228	cmd.exe	100
PID 3228 wrote to memory of 3520	3228	cmd.exe	100
PID 3228 wrote to memory of 2132	3228	cmd.exe	101
PID 3228 wrote to memory of 2132	3228	cmd.exe	101
PID 3228 wrote to memory of 2132	3228	cmd.exe	101
PID 3228 wrote to memory of 2272	3228	cmd.exe	102
PID 3228 wrote to memory of 2272	3228	cmd.exe	102
PID 3228 wrote to memory of 2272	3228	cmd.exe	102
PID 3228 wrote to memory of 1924	3228	cmd.exe	103
PID 3228 wrote to memory of 1924	3228	cmd.exe	103
PID 3228 wrote to memory of 1924	3228	cmd.exe	103
PID 3228 wrote to memory of 2192	3228	cmd.exe	104
PID 3228 wrote to memory of 2192	3228	cmd.exe	104
PID 3228 wrote to memory of 2192	3228	cmd.exe	104
PID 3228 wrote to memory of 3824	3228	cmd.exe	105
PID 3228 wrote to memory of 3824	3228	cmd.exe	105
PID 3228 wrote to memory of 3824	3228	cmd.exe	105
PID 3228 wrote to memory of 1064	3228	cmd.exe	106
PID 3228 wrote to memory of 1064	3228	cmd.exe	106
PID 3228 wrote to memory of 1064	3228	cmd.exe	106
PID 3228 wrote to memory of 1000	3228	cmd.exe	107
PID 3228 wrote to memory of 1000	3228	cmd.exe	107
PID 3228 wrote to memory of 1000	3228	cmd.exe	107
PID 3228 wrote to memory of 988	3228	cmd.exe	108
PID 3228 wrote to memory of 988	3228	cmd.exe	108
PID 3228 wrote to memory of 988	3228	cmd.exe	108
PID 3228 wrote to memory of 3152	3228	cmd.exe	109
PID 3228 wrote to memory of 3152	3228	cmd.exe	109
PID 3228 wrote to memory of 3152	3228	cmd.exe	109
PID 3228 wrote to memory of 1352	3228	cmd.exe	110
PID 3228 wrote to memory of 1352	3228	cmd.exe	110
PID 3228 wrote to memory of 1352	3228	cmd.exe	110
PID 3228 wrote to memory of 2928	3228	cmd.exe	111
PID 3228 wrote to memory of 2928	3228	cmd.exe	111
PID 3228 wrote to memory of 2928	3228	cmd.exe	111
PID 3228 wrote to memory of 1984	3228	cmd.exe	112
PID 3228 wrote to memory of 1984	3228	cmd.exe	112
PID 3228 wrote to memory of 1984	3228	cmd.exe	112
PID 3228 wrote to memory of 2428	3228	cmd.exe	113
PID 3228 wrote to memory of 2428	3228	cmd.exe	113
PID 3228 wrote to memory of 2428	3228	cmd.exe	113
PID 2428 wrote to memory of 1480	2428	PayloadMBR.exe	114
PID 2428 wrote to memory of 1480	2428	PayloadMBR.exe	114
PID 2428 wrote to memory of 1480	2428	PayloadMBR.exe	114

C:\Users\Admin\AppData\Local\Temp\covid21.exe
"C:\Users\Admin\AppData\Local\Temp\covid21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.bat" "
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\99B5.tmp\CLWCP.exe
    clwcp c:\covid21\covid.bmp
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid.vbs"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadGDI.exe
    PayloadGDI.exe
    3⤵
    - Executes dropped EXE
    PID:744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3696
- - C:\Users\Admin\AppData\Local\Temp\99B5.tmp\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3176
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2764
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\corona.vbs"
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\covid21.vbs"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\timeout.exe
    timeout /3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exe
    PayloadMBR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\99B5.tmp\PayloadMBR.exe"
      4⤵
      Creates scheduled task(s)
      PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 504
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3828