Analysis
-
max time kernel
37s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:24
Static task
static1
Behavioral task
behavioral1
Sample
f7d51f78838308cdcd53b9c4f4af65e1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f7d51f78838308cdcd53b9c4f4af65e1.exe
Resource
win10v20201028
General
-
Target
f7d51f78838308cdcd53b9c4f4af65e1.exe
-
Size
1.0MB
-
MD5
f7d51f78838308cdcd53b9c4f4af65e1
-
SHA1
cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
-
SHA256
f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
-
SHA512
3134ca19c1c0fe12a769b51909edfcc8da51b927e6414c7305d23280b8778de404759b8a56cd716a4c9fbda3f5e6b44ece160bceaa762011b35a3b40e930ae5e
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
covhostjv.execovhostjv.execovhostjv.exepid process 1464 covhostjv.exe 1364 covhostjv.exe 952 covhostjv.exe -
Loads dropped DLL 3 IoCs
Processes:
f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exepid process 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe 1464 covhostjv.exe 1364 covhostjv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
covhostjv.exedescription pid process target process PID 1364 set thread context of 952 1364 covhostjv.exe covhostjv.exe -
Processes:
covhostjv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 covhostjv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 covhostjv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
covhostjv.exedescription pid process Token: SeDebugPrivilege 1364 covhostjv.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exedescription pid process target process PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1108 wrote to memory of 1464 1108 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1464 wrote to memory of 1364 1464 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe PID 1364 wrote to memory of 952 1364 covhostjv.exe covhostjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exeMD5
183d8e2e66b0cc0b44199f82bcac409f
SHA1800b313a0c2dad044112e66d7f430cb30371a9fc
SHA2562be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2
SHA512e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exeMD5
183d8e2e66b0cc0b44199f82bcac409f
SHA1800b313a0c2dad044112e66d7f430cb30371a9fc
SHA2562be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2
SHA512e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exeMD5
183d8e2e66b0cc0b44199f82bcac409f
SHA1800b313a0c2dad044112e66d7f430cb30371a9fc
SHA2562be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2
SHA512e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
memory/952-21-0x000000000043FA56-mapping.dmp
-
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/1364-13-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1364-15-0x0000000000320000-0x0000000000337000-memory.dmpFilesize
92KB
-
memory/1364-16-0x0000000000350000-0x000000000036F000-memory.dmpFilesize
124KB
-
memory/1364-17-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/1364-18-0x00000000005F0000-0x00000000005FA000-memory.dmpFilesize
40KB
-
memory/1364-12-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1364-9-0x0000000000000000-mapping.dmp
-
memory/1464-4-0x0000000000000000-mapping.dmp