Analysis
-
max time kernel
43s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 07:24
Static task
static1
Behavioral task
behavioral1
Sample
f7d51f78838308cdcd53b9c4f4af65e1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f7d51f78838308cdcd53b9c4f4af65e1.exe
Resource
win10v20201028
General
-
Target
f7d51f78838308cdcd53b9c4f4af65e1.exe
-
Size
1.0MB
-
MD5
f7d51f78838308cdcd53b9c4f4af65e1
-
SHA1
cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
-
SHA256
f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
-
SHA512
3134ca19c1c0fe12a769b51909edfcc8da51b927e6414c7305d23280b8778de404759b8a56cd716a4c9fbda3f5e6b44ece160bceaa762011b35a3b40e930ae5e
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3012 created 720 3012 WerFault.exe covhostjv.exe -
Executes dropped EXE 3 IoCs
Processes:
covhostjv.execovhostjv.execovhostjv.exepid process 3712 covhostjv.exe 2600 covhostjv.exe 720 covhostjv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
covhostjv.exedescription pid process target process PID 2600 set thread context of 720 2600 covhostjv.exe covhostjv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3012 720 WerFault.exe covhostjv.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
covhostjv.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2600 covhostjv.exe Token: SeRestorePrivilege 3012 WerFault.exe Token: SeBackupPrivilege 3012 WerFault.exe Token: SeDebugPrivilege 3012 WerFault.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f7d51f78838308cdcd53b9c4f4af65e1.execovhostjv.execovhostjv.exedescription pid process target process PID 652 wrote to memory of 3712 652 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 652 wrote to memory of 3712 652 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 652 wrote to memory of 3712 652 f7d51f78838308cdcd53b9c4f4af65e1.exe covhostjv.exe PID 3712 wrote to memory of 2600 3712 covhostjv.exe covhostjv.exe PID 3712 wrote to memory of 2600 3712 covhostjv.exe covhostjv.exe PID 3712 wrote to memory of 2600 3712 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe PID 2600 wrote to memory of 720 2600 covhostjv.exe covhostjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"C:\Users\Admin\AppData\Local\Temp\f7d51f78838308cdcd53b9c4f4af65e1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 11325⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exeMD5
183d8e2e66b0cc0b44199f82bcac409f
SHA1800b313a0c2dad044112e66d7f430cb30371a9fc
SHA2562be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2
SHA512e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\covhostjv.exeMD5
183d8e2e66b0cc0b44199f82bcac409f
SHA1800b313a0c2dad044112e66d7f430cb30371a9fc
SHA2562be73cf9d5b07b73a092e85ef80808c11bba51f2248ce75c2ce08123c0e655d2
SHA512e04f75f75e54b5b8464a9d828422647a5914e3f81c9f8d6262aa7cbe7bca06e43e7451b2462f62ce4b744e301e702fce9b1417b27d22a43447bbb7d4c4b39db9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\covhostjv.exeMD5
bc3e3ff5d9362e269d9ba267fe26497c
SHA152beeb5f353924f0b0e539003fda2cb2f9d1f6f5
SHA25601cbca3c98feadb7b17074fb42ac6b590738eefec4d9044c1796d446c86e5d29
SHA512cac2615b417331c3428f3f0fa65e59f36a995a5284ba414a1302e3e5020417c6f11ff922617ed8d0c3ad0f8055cd4280079d9a87ccd9434fd0de4530120abf28
-
memory/720-19-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/720-22-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/720-20-0x000000000043FA56-mapping.dmp
-
memory/2600-13-0x00000000033A0000-0x00000000033BF000-memory.dmpFilesize
124KB
-
memory/2600-12-0x0000000003380000-0x0000000003397000-memory.dmpFilesize
92KB
-
memory/2600-14-0x00000000086C0000-0x00000000086C1000-memory.dmpFilesize
4KB
-
memory/2600-15-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2600-16-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/2600-17-0x0000000005470000-0x000000000547A000-memory.dmpFilesize
40KB
-
memory/2600-18-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/2600-11-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/2600-9-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/2600-8-0x00000000729C0000-0x00000000730AE000-memory.dmpFilesize
6.9MB
-
memory/2600-5-0x0000000000000000-mapping.dmp
-
memory/3012-23-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/3712-2-0x0000000000000000-mapping.dmp