Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 22:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/CoronaVirus.exe
Resource
win10v2004-20231215-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/CoronaVirus.exe
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
coronavirus@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (492) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe -
Executes dropped EXE 4 IoCs
Processes:
CoronaVirus.exeCoronaVirus.exeCoronaVirus.exemsedge.exepid process 256 CoronaVirus.exe 4380 CoronaVirus.exe 31840 CoronaVirus.exe 23240 msedge.exe -
Loads dropped DLL 1 IoCs
Processes:
msedge.exepid process 23240 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\DenyConvertFrom.ppsm.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.resources.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-150.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.VisualC.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Design.resources.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1 CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\UIAutomationClientSideProviders.resources.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.ProtectedData.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationClientSideProviders.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-time-l1-1-0.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\HostConfigDarkMode.json CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-16.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\currency.data.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.NetworkInformation.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\WindowsFormsIntegration.resources.dll.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.png.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe805.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-200.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\ui-strings.js.id-06426DDE.[coronavirus@qq.com].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 8196 vssadmin.exe 6700 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 667003.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeCoronaVirus.exepid process 2204 msedge.exe 2204 msedge.exe 3128 msedge.exe 3128 msedge.exe 3892 identity_helper.exe 3892 identity_helper.exe 5080 msedge.exe 5080 msedge.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe 256 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 8760 vssvc.exe Token: SeRestorePrivilege 8760 vssvc.exe Token: SeAuditPrivilege 8760 vssvc.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 28092 OpenWith.exe 28056 OpenWith.exe 9200 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3128 wrote to memory of 3212 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 3212 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2100 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2204 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2204 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 424 3128 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/CoronaVirus.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd753f46f8,0x7ffd753f4708,0x7ffd753f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6240 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.dllFilesize
3.6MB
MD5d3f0468ab060b92d082e69ef35c06d65
SHA18f7633f71e3f43028c3fc82ab8f4b0e7cef90998
SHA25648d9bad75cc38de4c2c8d686eea813118086be24249c77ef87b2e8ba81b5e2d2
SHA512f4c254cf0d44a32f67818a91e1ae7d7392c2928514d40bb30c7f5a54f69e5a06e2df21bfdbf7959ab9bd9e0d44232e9c6205c6c29a55bc36bb30189232e72e86
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eb20b5930f48aa090358398afb25b683
SHA14892c8b72aa16c5b3f1b72811bf32b89f2d13392
SHA2562695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35
SHA512d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5339dad6-f9f5-4ed1-955b-21119315f46b.tmpFilesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLiteFilesize
64KB
MD52b65c5d1ab0aa3f3f57c635932c12a5d
SHA1b532c837537438e591d5d6adbf96a5dfe5c40eba
SHA256c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a
SHA5127d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD5458a8f1fd7c698b07c61c04a6b1e1b28
SHA1a458df1437f615741e717495dcb49ae788bce9ea
SHA256dfdb2fcc47c31cb6bb9d8c4605654426316826f930bd1c2b4fef8d81fab8ba1f
SHA51247c0126ea8a8a2f932b22932c09f04968491c236cd449dc21e6ea117a2daadfa2600f4c254356a37c4dc6023e4364efa3697bd37e518383c0ce46849f1ba125c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ea57d01582800ab05d6008ff23223050
SHA146bed2529536ed8bc3d3b666d0626df1b69ad5c8
SHA2565a33b280f0785c34536aeed01691932ee0ad80db5b4e6a08281aa767d90f4d33
SHA5124fa46fd85582d9bdb1cd6aa39c407e6548f194272fe3c36b972ed3250232e4e8ecee63084936189c20196d22dfa0a3d9cb542ec0198ddfe55004cb8ad7de2cfd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD566bcb0e0e9a63193ef154a56659fcce2
SHA18e0c2735df4c40043f3448618e66152626718d3a
SHA2563635050cc80fa3fca5c1cd89ae9edfc7f0641080629c28a752f8fd0ba9baf8f5
SHA512da62dbe0cc6d75460d2a394970942ba058d519dc98b558965d6882173fecff51887cb9470ee042f23e8341ebc02dc0bcfea22911445d80ddb192b9416914f8d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f82a90770597568fc98252b692558de1
SHA17e37a8094c1a94d75865a7cb37cf387f56966027
SHA25606a3b9c2fe8295b13bb63b72f36fe021ea9f18c6e4812718ca090cc7243051c3
SHA512b4b40c9b72a1feedbf82b0ee9f0366247eff1e8a2329a04b1cfa26e2e68e9f0bc45992dfa595566d74690f3a8d361450b7acbce406702576c063292ef951bc6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD52bbbdb35220e81614659f8e50e6b8a44
SHA17729a18e075646fb77eb7319e30d346552a6c9de
SHA25673f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd
SHA51259c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
560B
MD52200ae50e218623eb66baeb6a77e1489
SHA16ba3c1371a1d196c390359aa848c8ef193941dff
SHA25655353ef9a47b4a09ee452cab41219dba07b2b042d338dc4e8250c1d3184e0c5b
SHA5127d9b0b16036435d2d69d8b7b0ff7841ccf557d838c60443ebc099bb601b0c8b4637e657b30fb094fec8156c7d7d8ff956c5ae32f6e402ae40fd92f3e9dbf7bb7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5d60a24631e708ba301f3af0b0b297a6b
SHA160149a04f9fe89afb69c71b35d07af5690585866
SHA25674e2a8712e346ee17cadadc979fc6090a769226a88a4b1742521b611b9b1c056
SHA512646e63eea6044d60df57d07f2b8ec28da2ac645c4b92efff5ec25b45f6553c778615e4e991ecf22a70f8c159ee2e7e383d2a87c97861d7254b18c34cd829aaf3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f8cbf827-658d-4da5-9b87-4d32325b9003.tmpFilesize
10KB
MD512102d523d04c5392a48ef13932061c8
SHA10a05e2274a71bec2042689a2c829c59f4e5a8118
SHA2567e3366277a1a619aecee8ecd669ba516cdd5a0c3e619df37a609ea4412089fa2
SHA512f45aa3a29a1ff6cb01c0dccff7e7d0fbdbb8715e4c41cbdd1c10ffa3d063cd08f79484608326c9e42e22fa9cf6ed261c749e78ae77cea3bf78bfcae1ddc4ef0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5cbaf7bf52369864ad3a0de6aa429aa47
SHA11b043805d459e00d044113307b0ea1ea81b98ab1
SHA256b0a8e5ffc7c9e348e63a082014b4c17ce30c29876bd3061c27dead9c93ca6f0a
SHA5124c10e70af358d4e8961d304bdaaa9f493eac7d648fe47eed16b506df283d2e6537708f83a1ee71d75d7362232b3ea66abab79f98288a7a4f774b17c9b36ab5e4
-
C:\Users\Admin\Downloads\Unconfirmed 667003.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
\??\pipe\LOCAL\crashpad_3128_WZGWDJRCVZMNNKUEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/256-2751-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/256-117-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/256-116-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/256-113-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4380-4885-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4380-4886-0x000000000AC80000-0x000000000ACB4000-memory.dmpFilesize
208KB
-
memory/4380-2507-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/31840-14684-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/31840-20169-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/31840-20728-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB