Analysis
-
max time kernel
134s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 23:40
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.CoronaVirus.exe
Resource
win7-20231215-en
General
-
Target
Ransomware.CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
coronavirus@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 5 IoCs
Processes:
Ransomware.CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransomware.CoronaVirus.exe Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Ransomware.CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta Ransomware.CoronaVirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Ransomware.CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransomware.CoronaVirus.exe = "C:\\Windows\\System32\\Ransomware.CoronaVirus.exe" Ransomware.CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" Ransomware.CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" Ransomware.CoronaVirus.exe -
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
Ransomware.CoronaVirus.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IJKL5Z6W\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OE9M12V\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Ransomware.CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\15TVJ6R0\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HO2824L9\desktop.ini Ransomware.CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransomware.CoronaVirus.exe -
Drops file in System32 directory 2 IoCs
Processes:
Ransomware.CoronaVirus.exedescription ioc process File created C:\Windows\System32\Ransomware.CoronaVirus.exe Ransomware.CoronaVirus.exe File created C:\Windows\System32\Info.hta Ransomware.CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Ransomware.CoronaVirus.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk Ransomware.CoronaVirus.exe File created C:\Program Files\Mozilla Firefox\installation_telemetry.json.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00943_.WMF Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CERTINTL.DLL.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml Ransomware.CoronaVirus.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME36.CSS Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.id-5BE86C9B.[coronavirus@qq.com].ncov Ransomware.CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psmachine.dll Ransomware.CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 536 vssadmin.exe 1540 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEmshta.exemshta.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B320551-C092-11EE-95CA-56B3956C75C7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ransomware.CoronaVirus.exepid process 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe 2180 Ransomware.CoronaVirus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2192 vssvc.exe Token: SeRestorePrivilege 2192 vssvc.exe Token: SeAuditPrivilege 2192 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exemshta.exepid process 3340 iexplore.exe 2200 mshta.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
mshta.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2200 mshta.exe 2200 mshta.exe 3340 iexplore.exe 3340 iexplore.exe 3756 IEXPLORE.EXE 3756 IEXPLORE.EXE 3644 IEXPLORE.EXE 3644 IEXPLORE.EXE 3644 IEXPLORE.EXE 3644 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Ransomware.CoronaVirus.execmd.execmd.exeiexplore.exedescription pid process target process PID 2180 wrote to memory of 1424 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 1424 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 1424 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 1424 2180 Ransomware.CoronaVirus.exe cmd.exe PID 1424 wrote to memory of 2872 1424 cmd.exe mode.com PID 1424 wrote to memory of 2872 1424 cmd.exe mode.com PID 1424 wrote to memory of 2872 1424 cmd.exe mode.com PID 1424 wrote to memory of 536 1424 cmd.exe vssadmin.exe PID 1424 wrote to memory of 536 1424 cmd.exe vssadmin.exe PID 1424 wrote to memory of 536 1424 cmd.exe vssadmin.exe PID 2180 wrote to memory of 2432 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 2432 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 2432 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2180 wrote to memory of 2432 2180 Ransomware.CoronaVirus.exe cmd.exe PID 2432 wrote to memory of 3792 2432 cmd.exe mode.com PID 2432 wrote to memory of 3792 2432 cmd.exe mode.com PID 2432 wrote to memory of 3792 2432 cmd.exe mode.com PID 2432 wrote to memory of 1540 2432 cmd.exe vssadmin.exe PID 2432 wrote to memory of 1540 2432 cmd.exe vssadmin.exe PID 2432 wrote to memory of 1540 2432 cmd.exe vssadmin.exe PID 2180 wrote to memory of 2200 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 2200 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 2200 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 2200 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 3268 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 3268 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 3268 2180 Ransomware.CoronaVirus.exe mshta.exe PID 2180 wrote to memory of 3268 2180 Ransomware.CoronaVirus.exe mshta.exe PID 3340 wrote to memory of 3756 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3756 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3756 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3756 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3644 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3644 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3644 3340 iexplore.exe IEXPLORE.EXE PID 3340 wrote to memory of 3644 3340 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3340 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3340 CREDAT:472069 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id-5BE86C9B.[coronavirus@qq.com].ncovFilesize
44.2MB
MD5ab2189704f14cb5363f4a14e74d52a04
SHA1774f99e783ba7fa0695d58b733070a8df9bc00b3
SHA256b5b1b2dd092ae20cb115cac5bf764540c411c27f1e7115fab8fc00128de9d719
SHA51290a8a5ddfa7f16cf6ab3ead497841a801004fa7b1109ba068ef0162043b1519ef85a26b99e567daea6a1f16c19af018bdc10cb05bde1f97f21ea726e8c3e05d3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5ee74e464e7b226d43ae5eb8e44b5e5b1
SHA17b9ce8d0b0fa67a43569510a5b4db638fa391c6c
SHA256b412aa39f89e9f9479493a5b97e77133b75bffedfadb07fa4084c77afae6ec25
SHA512d4875570d68bdb21d8ce01b3f1411ad5d9a927e4f7700dfdeb7e02fc8dae9483038dff42d61627453866ce36b36eef72f5368dc667f77927b06a9ab779242829
-
memory/2180-0-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2180-1-0x000000000ACA0000-0x000000000ACD4000-memory.dmpFilesize
208KB
-
memory/2180-2-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2180-2297-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2180-18822-0x000000000ACA0000-0x000000000ACD4000-memory.dmpFilesize
208KB
-
memory/2200-20295-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB
-
memory/2200-20324-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB