Overview
overview
10Static
static
7trojan-lea...35.exe
windows7-x64
8trojan-lea...35.exe
windows10-2004-x64
8trojan-lea...07.exe
windows7-x64
8trojan-lea...07.exe
windows10-2004-x64
AIDS_NT.exe
windows7-x64
AIDS_NT.exe
windows10-2004-x64
Abantes.exe
windows7-x64
10Abantes.exe
windows10-2004-x64
10trojan-lea...ys.exe
windows7-x64
7trojan-lea...ys.exe
windows10-2004-x64
7trojan-lea...er.exe
windows7-x64
3trojan-lea...er.exe
windows10-2004-x64
8trojan-lea...32.exe
windows7-x64
10trojan-lea...32.exe
windows10-2004-x64
10trojan-lea...32.exe
windows7-x64
trojan-lea...32.exe
windows10-2004-x64
trojan-lea...64.exe
windows7-x64
trojan-lea...64.exe
windows10-2004-x64
trojan-lea...ne.exe
windows7-x64
1trojan-lea...ne.exe
windows10-2004-x64
1trojan-lea...64.exe
windows7-x64
1trojan-lea...64.exe
windows10-2004-x64
1trojan-lea...er.exe
windows7-x64
trojan-lea...er.exe
windows10-2004-x64
trojan-lea...ks.exe
windows7-x64
1trojan-lea...ks.exe
windows10-2004-x64
trojan-lea...ix.exe
windows7-x64
6trojan-lea...ix.exe
windows10-2004-x64
6trojan-lea...V).exe
windows7-x64
10trojan-lea...V).exe
windows10-2004-x64
10trojan-lea...23.exe
windows7-x64
1trojan-lea...23.exe
windows10-2004-x64
1Analysis
-
max time kernel
12s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2023 19:16
Behavioral task
behavioral1
Sample
trojan-leaks-main/0.950095298700035.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/0.950095298700035.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/0x07.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/0x07.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
AIDS_NT.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
AIDS_NT.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Abantes.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Abantes.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/AjarSys.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/AjarSys.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/Antivirus_Installer.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/Antivirus_Installer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/BUG32.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/BUG32.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/BaldiTrojan-x32.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/BaldiTrojan-x32.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/BaldiTrojan-x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/BaldiTrojan-x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/Benzene.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/Benzene.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/Benzene_x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/Benzene_x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/CoViper.exe
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/CoViper.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/Glodrix.exe
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/Glodrix.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/Halloware (BerkayV).exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
trojan-leaks-main/HorrorTrojan123.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
trojan-leaks-main/CoViper.exe
-
Size
286KB
-
MD5
e20ee9bbbd1ebe131f973fe3706ca799
-
SHA1
4e92e5cbe9092f94b4f4951893b5d9ca304d292c
-
SHA256
f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224
-
SHA512
d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458
-
SSDEEP
6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\run.exe upx behavioral23/memory/1268-80-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral23/memory/1268-81-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CheckForUpdates = "C:\\COVID-19\\Update.vbs" reg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\COVID-19\\run.exe" reg.exe Key created \REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GoodbyePC! = "C:\\COVID-19\\end.exe" reg.exe -
Modifies registry key 1 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 628 reg.exe 320 reg.exe 1872 reg.exe 1644 reg.exe 332 reg.exe 432 reg.exe 964 reg.exe 1788 reg.exe 1696 reg.exe 1940 reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 1392 shutdown.exe Token: SeRemoteShutdownPrivilege 1392 shutdown.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
CoViper.execmd.exedescription pid process target process PID 1268 wrote to memory of 1812 1268 CoViper.exe cmd.exe PID 1268 wrote to memory of 1812 1268 CoViper.exe cmd.exe PID 1268 wrote to memory of 1812 1268 CoViper.exe cmd.exe PID 1268 wrote to memory of 1812 1268 CoViper.exe cmd.exe PID 1812 wrote to memory of 820 1812 cmd.exe attrib.exe PID 1812 wrote to memory of 820 1812 cmd.exe attrib.exe PID 1812 wrote to memory of 820 1812 cmd.exe attrib.exe PID 1812 wrote to memory of 820 1812 cmd.exe attrib.exe PID 1812 wrote to memory of 628 1812 cmd.exe reg.exe PID 1812 wrote to memory of 628 1812 cmd.exe reg.exe PID 1812 wrote to memory of 628 1812 cmd.exe reg.exe PID 1812 wrote to memory of 628 1812 cmd.exe reg.exe PID 1812 wrote to memory of 332 1812 cmd.exe reg.exe PID 1812 wrote to memory of 332 1812 cmd.exe reg.exe PID 1812 wrote to memory of 332 1812 cmd.exe reg.exe PID 1812 wrote to memory of 332 1812 cmd.exe reg.exe PID 1812 wrote to memory of 320 1812 cmd.exe reg.exe PID 1812 wrote to memory of 320 1812 cmd.exe reg.exe PID 1812 wrote to memory of 320 1812 cmd.exe reg.exe PID 1812 wrote to memory of 320 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1872 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1872 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1872 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1872 1812 cmd.exe reg.exe PID 1812 wrote to memory of 432 1812 cmd.exe reg.exe PID 1812 wrote to memory of 432 1812 cmd.exe reg.exe PID 1812 wrote to memory of 432 1812 cmd.exe reg.exe PID 1812 wrote to memory of 432 1812 cmd.exe reg.exe PID 1812 wrote to memory of 964 1812 cmd.exe reg.exe PID 1812 wrote to memory of 964 1812 cmd.exe reg.exe PID 1812 wrote to memory of 964 1812 cmd.exe reg.exe PID 1812 wrote to memory of 964 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1788 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1788 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1788 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1788 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1696 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1696 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1696 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1696 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1940 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1940 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1940 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1940 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1644 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1644 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1644 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1644 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1392 1812 cmd.exe shutdown.exe PID 1812 wrote to memory of 1392 1812 cmd.exe shutdown.exe PID 1812 wrote to memory of 1392 1812 cmd.exe shutdown.exe PID 1812 wrote to memory of 1392 1812 cmd.exe shutdown.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CoViper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C572.tmp\coronavirus.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\attrib.exeattrib +H C:\COVID-193⤵
- Views/modifies file attributes
PID:820
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v disabletaskmgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:628
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:332
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v wallpaper /t REG_SZ /d C:\COVID-19\wallpaper.jpg /f3⤵
- Modifies registry key
PID:320
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:1872
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\Control Panel\Cursors /v Arrow /t REG_SZ /d C:\COVID-19\cursor.cur /f3⤵
- Modifies registry key
PID:432
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\Control Panel\Cursors /v AppStarting /t REG_SZ /d C:\COVID-19\cursor.cur /f3⤵
- Modifies registry key
PID:964
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\Control Panel\Cursors /v Hand /t REG_SZ /d C:\COVID-19\cursor.cur /f3⤵
- Modifies registry key
PID:1788
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CheckForUpdates /t REG_SZ /d C:\COVID-19\Update.vbs /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1696
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.exe /t REG_SZ /d C:\COVID-19\run.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1940
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\software\Microsoft\Windows\CurrentVersion\Run /v GoodbyePC! /t REG_SZ /d C:\COVID-19\end.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1644
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 53⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1664
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e9b2f5e9305dc2a39258d69264647c53
SHA187653e2ba1bf810feb472391cef4ffae82e38ea9
SHA2564fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3
SHA5127b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881
-
Filesize
1KB
MD5e9b2f5e9305dc2a39258d69264647c53
SHA187653e2ba1bf810feb472391cef4ffae82e38ea9
SHA2564fd9b85eec0b49548c462acb9ec831a0728c0ef9e3de70e772755834e38aa3b3
SHA5127b0ff3dde5ba6d098f970a8d09c690652607cb3f8806b942922f7b92df45b4cc788f13dd376b6d48404178a5462baddafbb61b893074b42dbf14836826af9881
-
Filesize
156B
MD5bfbafdf20dadf4e83476228f2f86e80c
SHA1fcc31feb12f3ccd786b17d46c5f487c22ea74a38
SHA256a1a8d79508173cf16353e31a236d4a211bdcedef53791acce3cfba600b51aaec
SHA512157ba2aaa5bd715119381a593ec78ac83f2e2e35512764ec99878cd4019d87837bb96457cb2de5e64df1510cf2935aa91918c27e686a2451c095bbbaedc84321
-
Filesize
13KB
MD521f48a9e113317b8e2b3ce5366621aa1
SHA1674c0fc07675d3455780690c38f25f6fbd20b401
SHA25613c4423ed872e71990e703a21174847ab58dec49501b186709b77b772ceeab52
SHA51250b99a9e44b3fefce32ad729048d8491cfa403425efe84c48038ab97dbdb403fbe35dfd50a82018d180144e1c84243622f45a2b11a06e6f105f13636fff7d75b
-
Filesize
47KB
MD57def1c942eea4c2024164cd5b7970ec8
SHA1b2f4288577bf8f8f06a487b17163d74ebe46ab43
SHA256c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9
SHA51287b023b8550fcb7b7948b33eb76dd8e22452669fba280b384bc2c2162d908eaa95cdac3f31136bc2aed07944cebdc22bce34f2a96ce4f40353645f5a2a94f5ce
-
Filesize
148KB
MD5e6ccc960ae38768664e8cf40c74a9902
SHA1d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd
SHA256b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe
SHA512a3a7fa630bafa9508b78af298893733b365e4a185a47b231fb0bfdffc4ed2adacbdbc65fd8261cdd8a589998590a82416cb21200e0eed1bcef67b7655c9b101d
-
Filesize
21KB
MD5b1349ca048b6b09f2b8224367fda4950
SHA144fac7dd4b9b1ccc61af4859c8104dd507e82e2d
SHA256c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986
SHA512f1cc8116d6eb91e6ecb214ac647c7a9a4ca7d2733af3bbca68939722c11e61a33213aa8c1cc6024c0f186db9edca48006f8f13d3282c7be921b3246cba975810
-
Filesize
1KB
MD5087f4545e13bd7b8e1f36c941a62f8a4
SHA1f43ac7023ca49efe5509993667f04c2fbf6ac722
SHA2564a17f58a8bf2b26ece23b4d553d46b72e0cda5e8668458a80ce8fe4e6d90c42d
SHA5128b309437fb43ce8667ead9709fd5700b719ee46bd294c4ee4b554cd064de63b3d5165bac83e349c54491a97c8f2241dc29f92f586c5ef50689b681386dc07c31