Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
Resource
win10v2004-20220414-en
General
-
Target
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe
-
Size
576KB
-
MD5
0103c868e27888648c251500988261fb
-
SHA1
bf4a68ce150b9c81a90f19614d8897ffb7e096fb
-
SHA256
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220
-
SHA512
484d5d13efd3e8c750f206159e739dad5fb9e37e98f8160dcbbe750d7c647488932a1e88e5d3fffac8b81d1ab0133864beb36faef4cfd38cc6d05529b8e68cea
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
UF4SVI2R.exepid process 208 UF4SVI2R.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation UF4SVI2R.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
UF4SVI2R.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\tapeta.png" UF4SVI2R.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1364 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
UF4SVI2R.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings UF4SVI2R.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4160 e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe Token: SeDebugPrivilege 208 UF4SVI2R.exe Token: SeDebugPrivilege 1364 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exeUF4SVI2R.execmd.exedescription pid process target process PID 4160 wrote to memory of 208 4160 e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe UF4SVI2R.exe PID 4160 wrote to memory of 208 4160 e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe UF4SVI2R.exe PID 208 wrote to memory of 2032 208 UF4SVI2R.exe WScript.exe PID 208 wrote to memory of 2032 208 UF4SVI2R.exe WScript.exe PID 208 wrote to memory of 4652 208 UF4SVI2R.exe cmd.exe PID 208 wrote to memory of 4652 208 UF4SVI2R.exe cmd.exe PID 4652 wrote to memory of 1364 4652 cmd.exe taskkill.exe PID 4652 wrote to memory of 1364 4652 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe"C:\Users\Admin\AppData\Local\Temp\e6696435c5e386f8c978a7681a4f68c65e749c16c10f79e4956c5a39fed83220.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe"C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\msg.vbs"3⤵PID:2032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\taskkill.exetaskkill /F /PID 2084⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\LIBSOD~1.DLLFilesize
397KB
MD55416694767519df7a2c7dec09f7c17fc
SHA188b7aac0b466571efa649c390c340860d2b15f93
SHA2560c44cdd6581b94910d7440193b8f5d9804e679afdb814801ab0d7b828c5d41d7
SHA5120e14f014645382d5d8d4c458b003146137f50de53668bbc1cdef621c5421d0c164cdc41a612b2bc337aceb2c55089de237099358b57c8ea50ea706961f93fd30
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\LIBSOD~2.DLLFilesize
477KB
MD54f6426e3626d5d46fb19c13043cb84de
SHA19dfa32f957c19c843a568b57d555d6d5cbc61579
SHA2567a960129f6d3f8d44b4c6be27f587c29aa8bafb9c4d3c85bb84a5f5d8fa6e2ba
SHA5127a83adf2b36973ceb52bfc95591bc91d4ac778a4e11d11723f6d8bf208811b8fa7d072851cfed73407c9413455de717e9a42f8e6bb1a133cb2b1981c66bb5832
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\NEWTON~1.DLLFilesize
560KB
MD58f81c9520104b730c25d90a9dd511148
SHA17cf46cb81c3b51965c1f78762840eb5797594778
SHA256f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886
SHA512b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\Sodium.dllFilesize
59KB
MD5fa95d735f88e819edc0cef02d3ee4781
SHA19e3c03ee4b0efeedf59edaca15ea304d2ec4cec7
SHA256bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a
SHA512554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\Stealer.exeFilesize
61KB
MD5c93e7c32ed44471ce98b07eacdeaa11b
SHA1ee6dd9ff1e6be657efe4cf169cea92ece89684bf
SHA256d1b4253971e7a30c6bd46b16ba514aba50d6ead3d492e93d6698346a6702d117
SHA512c5243e1b17700d9d6e0c580f5ba689a96457ba42d4915ee9d27cdc1baa9526c1c39a4d162039d4943927b2ff8a99759d62a8a36d970f609597149658ff28ec7f
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.batFilesize
91B
MD561f28c44366d339550e3d1ba7e138724
SHA175c8a6a6216cd8c2d2d0c73a2920cc085afb8537
SHA256fa3b0ba4aa01e85a661b7f69802ed528121be52d105eb31ca0d50a09056eb50a
SHA512d14fadc487e0d9712f9da11e990d9d16fb5cc9d126ee6c86afa505768dd536fbf5b2a64b2ee0bf5293a43ba4f56a0581924e4dac27674584f322503f88f1cdab
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\clear.batFilesize
91B
MD561f28c44366d339550e3d1ba7e138724
SHA175c8a6a6216cd8c2d2d0c73a2920cc085afb8537
SHA256fa3b0ba4aa01e85a661b7f69802ed528121be52d105eb31ca0d50a09056eb50a
SHA512d14fadc487e0d9712f9da11e990d9d16fb5cc9d126ee6c86afa505768dd536fbf5b2a64b2ee0bf5293a43ba4f56a0581924e4dac27674584f322503f88f1cdab
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\msg.vbsFilesize
181B
MD5c45afecff184d83218198da4b51d9021
SHA1271eaec2b3bcd643f448c18dd4537e0cd2a44e31
SHA256258b02482de6e843db3b70987341c3e66b35e27d49bb5297b710dd43f5d209ab
SHA51250a3ecbd85b560b891c81b15c3c36f1e482da5dd83aa1e085944eadd99acc2b6a507c68b856f214f8da8ee3afccc962437228e22b63dcb9e0e3abbc6d9a82812
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\tapeta.xFilesize
184KB
MD5b9d09d117c8ea207279e244bce67575a
SHA12b80c12f51f648f3aaf7f9eab0a1d1ad5dd65064
SHA2560c90219a9064822377ea971e86650d889915c1d415c142b47b211d238c37dd09
SHA5124308a0371de782df448a3a78f8d24023e680008cbbb1c90253fc8383e3997e15c8b34fc04fbf5b88a1eaa79427aedb09fbd47dfd647ffe38682fddaf2de66952
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Bin\tekst.xFilesize
802B
MD5ec3ce6e2b988568758016ba7dc464f19
SHA170111d33f349ce9ca4b10bfc0eae25d0f2723c8a
SHA256d4243f0a299a8e0b2c410a081849c51b3e340b499e5a1277fc2ce1e9ff036796
SHA5120a149a5008a0b6a00b1390ce8743197e22be6a6a2f49323c7fdd32f60e12db5897319329b421de6552f235d49800c883483faea202051e7f2f2388e0aff07dc6
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Data.zipFilesize
765KB
MD570abc67ce48faf5439f13bfb8edbfafe
SHA1c70ae0be2f37b5625f36234dc637a7a88b4a9e59
SHA2563e15aab8a85c0cd22a439e9d9b7e66025ca29fbc68feb5bd19ac51ddf582cfc1
SHA5123482f7b460436b7e4eafdecbfe6f1c6d280595c4e2b0f4c42e8ae842641c58a290f4e8d96018e0f2861ea43fd9166ae10518ba35277865deb28b4e72e436bafb
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Data\Szyfr.txtFilesize
53B
MD5556da398b7f47795e5544884ea6266b8
SHA16983f257663ef854d448952ba9fb2097563d0da1
SHA256f13e6aa68ccaf44fbae42a227ef73e3a52716d2b3f592a35c8010e044ddb33be
SHA512aa6f5f4222ebf4b92d3fcbe6739bc58741234f8ba36254dda9956039ffec618b282c3289897c4728f55420afa2d7e03fe91aad823624e590a4b6959510036c36
-
C:\Users\Admin\AppData\Roaming\C0VID-19\Newtonsoft.Json.dllFilesize
560KB
MD58f81c9520104b730c25d90a9dd511148
SHA17cf46cb81c3b51965c1f78762840eb5797594778
SHA256f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886
SHA512b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3
-
C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exeFilesize
77KB
MD58bbd70828300c9548fca4d8b0238e68e
SHA1319265a938d715e4209b013640cf863125bba5f6
SHA256a18ecb67bf3a718edb6809e46afbe2784df31789d738707e1d57a0aec1a6b3d9
SHA51278510442e60084af6e84c01bb95e63b50413ef24e10840014b81eba04f62705f0bbcc7efc124ead15462acd3237fd11f94cdc6b2722f9d11285ce9a4143edda6
-
C:\Users\Admin\AppData\Roaming\C0VID-19\UF4SVI2R.exeFilesize
77KB
MD58bbd70828300c9548fca4d8b0238e68e
SHA1319265a938d715e4209b013640cf863125bba5f6
SHA256a18ecb67bf3a718edb6809e46afbe2784df31789d738707e1d57a0aec1a6b3d9
SHA51278510442e60084af6e84c01bb95e63b50413ef24e10840014b81eba04f62705f0bbcc7efc124ead15462acd3237fd11f94cdc6b2722f9d11285ce9a4143edda6
-
memory/208-144-0x0000000002F60000-0x0000000002FF0000-memory.dmpFilesize
576KB
-
memory/208-141-0x0000000000C80000-0x0000000000C9A000-memory.dmpFilesize
104KB
-
memory/208-142-0x00007FF9ABE20000-0x00007FF9AC8E1000-memory.dmpFilesize
10.8MB
-
memory/208-138-0x0000000000000000-mapping.dmp
-
memory/1364-152-0x0000000000000000-mapping.dmp
-
memory/2032-148-0x0000000000000000-mapping.dmp
-
memory/4160-130-0x0000000000800000-0x0000000000896000-memory.dmpFilesize
600KB
-
memory/4160-137-0x000000000B510000-0x000000000B522000-memory.dmpFilesize
72KB
-
memory/4160-136-0x00000000067E0000-0x00000000067EA000-memory.dmpFilesize
40KB
-
memory/4160-135-0x00000000052F0000-0x0000000005346000-memory.dmpFilesize
344KB
-
memory/4160-134-0x00000000051A0000-0x00000000051AA000-memory.dmpFilesize
40KB
-
memory/4160-133-0x00000000051F0000-0x0000000005282000-memory.dmpFilesize
584KB
-
memory/4160-132-0x0000000005700000-0x0000000005CA4000-memory.dmpFilesize
5.6MB
-
memory/4160-131-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/4652-150-0x0000000000000000-mapping.dmp