e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
Size

576KB
MD5

0103c868e27888648c251500988261fb
SHA1

bf4a68ce150b9c81a90f19614d8897ffb7e096fb
SHA256

e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220
SHA512

484d5d13efd3e8c750f206159e739dad5fb9e37e98f8160dcbbe750d7c647488932a1e88e5d3fffac8b81d1ab0133864beb36faef4cfd38cc6d05529b8e68cea

Score

8^/10

ransomware

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

UF4SVI2R.exe

pid process

208 UF4SVI2R.exe

pid	process
208	UF4SVI2R.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	UF4SVI2R.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

UF4SVI2R.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\tapeta.png"	UF4SVI2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1364 taskkill.exe
Modifies registry class 1 IoCs

Processes:

UF4SVI2R.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings UF4SVI2R.exe

pid	process
1364	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	UF4SVI2R.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4160	e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
Token: SeDebugPrivilege	208	UF4SVI2R.exe
Token: SeDebugPrivilege	1364	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.execmd.exe

description	pid	process	target process
PID 4160 wrote to memory of 208	4160	e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe	UF4SVI2R.exe
PID 4160 wrote to memory of 208	4160	e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe	UF4SVI2R.exe
PID 208 wrote to memory of 2032	208	UF4SVI2R.exe	WScript.exe
PID 208 wrote to memory of 2032	208	UF4SVI2R.exe	WScript.exe
PID 208 wrote to memory of 4652	208	UF4SVI2R.exe	cmd.exe
PID 208 wrote to memory of 4652	208	UF4SVI2R.exe	cmd.exe
PID 4652 wrote to memory of 1364	4652	cmd.exe	taskkill.exe
PID 4652 wrote to memory of 1364	4652	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
"C:\Users\Admin\AppData\Local\Temp\e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe
"C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\msg.vbs"
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\taskkill.exe
taskkill /F /PID 208
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\LIBSOD~1.DLL
Filesize
397KB

MD5
5416694767519df7a2c7dec09f7c17fc

SHA1
88b7aac0b466571efa649c390c340860d2b15f93

SHA256
0c44cdd6581b94910d7440193b8f5d9804e679afdb814801ab0d7b828c5d41d7

SHA512
0e14f014645382d5d8d4c458b003146137f50de53668bbc1cdef621c5421d0c164cdc41a612b2bc337aceb2c55089de237099358b57c8ea50ea706961f93fd30

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\LIBSOD~2.DLL
Filesize
477KB

MD5
4f6426e3626d5d46fb19c13043cb84de

SHA1
9dfa32f957c19c843a568b57d555d6d5cbc61579

SHA256
7a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba

SHA512
7a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\NEWTON~1.DLL
Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\Sodium.dll
Filesize
59KB

MD5
fa95d735f88e819edc0cef02d3ee4781

SHA1
9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7

SHA256
bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a

SHA512
554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\Stealer.exe
Filesize
61KB

MD5
c93e7c32ed44471ce98b07eacdeaa11b

SHA1
ee6dd9ff1e6be657efe4cf169cea92ece89684bf

SHA256
d1b4253971e7a30c6bd46b16ba514aba50d6ead3d492e93d6698346a6702d117

SHA512
c5243e1b17700d9d6e0c580f5ba689a96457ba42d4915ee9d27cdc1baa9526c1c39a4d162039d4943927b2ff8a99759d62a8a36d970f609597149658ff28ec7f

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.bat
Filesize
91B

MD5
61f28c44366d339550e3d1ba7e138724

SHA1
75c8a6a6216cd8c2d2d0c73a2920cc085afb8537

SHA256
fa3b0ba4aa01e85a661b7f69802ed528121be52d105eb31ca0d50a09056eb50a

SHA512
d14fadc487e0d9712f9da11e990d9d16fb5cc9d126ee6c86afa505768dd536fbf5b2a64b2ee0bf5293a43ba4f56a0581924e4dac27674584f322503f88f1cdab

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.bat
Filesize
91B

MD5
61f28c44366d339550e3d1ba7e138724

SHA1
75c8a6a6216cd8c2d2d0c73a2920cc085afb8537

SHA256
fa3b0ba4aa01e85a661b7f69802ed528121be52d105eb31ca0d50a09056eb50a

SHA512
d14fadc487e0d9712f9da11e990d9d16fb5cc9d126ee6c86afa505768dd536fbf5b2a64b2ee0bf5293a43ba4f56a0581924e4dac27674584f322503f88f1cdab

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\msg.vbs
Filesize
181B

MD5
c45afecff184d83218198da4b51d9021

SHA1
271eaec2b3bcd643f448c18dd4537e0cd2a44e31

SHA256
258b02482de6e843db3b70987341c3e66b35e27d49bb5297b710dd43f5d209ab

SHA512
50a3ecbd85b560b891c81b15c3c36f1e482da5dd83aa1e085944eadd99acc2b6a507c68b856f214f8da8ee3afccc962437228e22b63dcb9e0e3abbc6d9a82812

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\tapeta.x
Filesize
184KB

MD5
b9d09d117c8ea207279e244bce67575a

SHA1
2b80c12f51f648f3aaf7f9eab0a1d1ad5dd65064

SHA256
0c90219a9064822377ea971e86650d889915c1d415c142b47b211d238c37dd09

SHA512
4308a0371de782df448a3a78f8d24023e680008cbbb1c90253fc8383e3997e15c8b34fc04fbf5b88a1eaa79427aedb09fbd47dfd647ffe38682fddaf2de66952

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\tekst.x
Filesize
802B

MD5
ec3ce6e2b988568758016ba7dc464f19

SHA1
70111d33f349ce9ca4b10bfc0eae25d0f2723c8a

SHA256
d4243f0a299a8e0b2c410a081849c51b3e340b499e5a1277fc2ce1e9ff036796

SHA512
0a149a5008a0b6a00b1390ce8743197e22be6a6a2f49323c7fdd32f60e12db5897319329b421de6552f235d49800c883483faea202051e7f2f2388e0aff07dc6

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Data.zip
Filesize
765KB

MD5
70abc67ce48faf5439f13bfb8edbfafe

SHA1
c70ae0be2f37b5625f36234dc637a7a88b4a9e59

SHA256
3e15aab8a85c0cd22a439e9d9b7e66025ca29fbc68feb5bd19ac51ddf582cfc1

SHA512
3482f7b460436b7e4eafdecbfe6f1c6d280595c4e2b0f4c42e8ae842641c58a290f4e8d96018e0f2861ea43fd9166ae10518ba35277865deb28b4e72e436bafb

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Data\Szyfr.txt
Filesize
53B

MD5
556da398b7f47795e5544884ea6266b8

SHA1
6983f257663ef854d448952ba9fb2097563d0da1

SHA256
f13e6aa68ccaf44fbae42a227ef73e3a52716d2b3f592a35c8010e044ddb33be

SHA512
aa6f5f4222ebf4b92d3fcbe6739bc58741234f8ba36254dda9956039ffec618b282c3289897c4728f55420afa2d7e03fe91aad823624e590a4b6959510036c36

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\Newtonsoft.Json.dll
Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe
Filesize
77KB

MD5
8bbd70828300c9548fca4d8b0238e68e

SHA1
319265a938d715e4209b013640cf863125bba5f6

SHA256
a18ecb67bf3a718edb6809e46afbe2784df31789d738707e1d57a0aec1a6b3d9

SHA512
78510442e60084af6e84c01bb95e63b50413ef24e10840014b81eba04f62705f0bbcc7efc124ead15462acd3237fd11f94cdc6b2722f9d11285ce9a4143edda6

Download Submit
C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe
Filesize
77KB

MD5
8bbd70828300c9548fca4d8b0238e68e

SHA1
319265a938d715e4209b013640cf863125bba5f6

SHA256
a18ecb67bf3a718edb6809e46afbe2784df31789d738707e1d57a0aec1a6b3d9

SHA512
78510442e60084af6e84c01bb95e63b50413ef24e10840014b81eba04f62705f0bbcc7efc124ead15462acd3237fd11f94cdc6b2722f9d11285ce9a4143edda6

Download Submit
memory/208-144-0x0000000002F60000-0x0000000002FF0000-memory.dmp

Filesize
576KB

Download
memory/208-141-0x0000000000C80000-0x0000000000C9A000-memory.dmp

Filesize
104KB

Download
memory/208-142-0x00007FF9ABE20000-0x00007FF9AC8E1000-memory.dmp

Filesize
10.8MB

Download
memory/208-138-0x0000000000000000-mapping.dmp

Download
memory/1364-152-0x0000000000000000-mapping.dmp

Download
memory/2032-148-0x0000000000000000-mapping.dmp

Download
memory/4160-130-0x0000000000800000-0x0000000000896000-memory.dmp

Filesize
600KB

Download
memory/4160-137-0x000000000B510000-0x000000000B522000-memory.dmp

Filesize
72KB

Download
memory/4160-136-0x00000000067E0000-0x00000000067EA000-memory.dmp

Filesize
40KB

Download
memory/4160-135-0x00000000052F0000-0x0000000005346000-memory.dmp

Filesize
344KB

Download
memory/4160-134-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/4160-133-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/4160-132-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4160-131-0x0000000005090000-0x000000000512C000-memory.dmp

Filesize
624KB

Download
memory/4652-150-0x0000000000000000-mapping.dmp

Download