Overview
overview
10Static
static
7Ransomware...er.exe
windows7-x64
8Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows7-x64
Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows7-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows7-x64
10Ransomware...r5.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows7-x64
9Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows7-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows7-x64
9Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows7-x64
10Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows7-x64
10Ransomware...ab.exe
windows10-2004-x64
10Ransomware...ye.exe
windows7-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows7-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows7-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 01:34
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
Ransomware/7ev3n.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral4
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral5
Sample
Ransomware/Annabelle.exe
Resource
win7-20240220-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral6
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral7
Sample
Ransomware/BadRabbit.exe
Resource
win7-20240215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral8
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral9
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral10
Sample
Ransomware/Cerber5.exe
Resource
win7-20240221-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral11
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral12
Sample
Ransomware/CoronaVirus.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral13
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral14
Sample
Ransomware/CryptoLocker.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral15
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral16
Sample
Ransomware/CryptoWall.exe
Resource
win7-20240220-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral17
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral18
Sample
Ransomware/DeriaLock.exe
Resource
win7-20240215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral19
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral20
Sample
Ransomware/Dharma.exe
Resource
win7-20240221-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral21
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral22
Sample
Ransomware/Fantom.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral23
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral24
Sample
Ransomware/GandCrab.exe
Resource
win7-20240215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral25
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral26
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral27
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral28
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral29
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral30
Sample
Ransomware/InfinityCrypt.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral31
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral32
Sample
Ransomware/Krotten.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
General
-
Target
Ransomware/CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Score
10/10
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F75D7724.[[email protected]].ncov CoronaVirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxl.ttf CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\eu.pak CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\122.0.2365.52.manifest CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Locales\ca-Es-VALENCIA.pak CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\RemoveStroke_Illustration.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationFramework.resources.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Metadata.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\BuildInfo.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-200.jpg CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\kaa.txt.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected].[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Input.Manipulations.resources.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Mock.ps1 CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Controls.Ribbon.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg.id-F75D7724.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms CoronaVirus.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 12068 vssadmin.exe 14984 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe 320 CoronaVirus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 10944 vssvc.exe Token: SeRestorePrivilege 10944 vssvc.exe Token: SeAuditPrivilege 10944 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 320 wrote to memory of 4724 320 CoronaVirus.exe 99 PID 320 wrote to memory of 4724 320 CoronaVirus.exe 99 PID 4724 wrote to memory of 4344 4724 cmd.exe 101 PID 4724 wrote to memory of 4344 4724 cmd.exe 101 PID 4724 wrote to memory of 12068 4724 cmd.exe 104 PID 4724 wrote to memory of 12068 4724 cmd.exe 104 PID 320 wrote to memory of 5204 320 CoronaVirus.exe 110 PID 320 wrote to memory of 5204 320 CoronaVirus.exe 110 PID 5204 wrote to memory of 13768 5204 cmd.exe 113 PID 5204 wrote to memory of 13768 5204 cmd.exe 113 PID 5204 wrote to memory of 14984 5204 cmd.exe 114 PID 5204 wrote to memory of 14984 5204 cmd.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:4344
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:12068
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5204 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:13768
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:14984
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:81⤵PID:13068
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:10944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-F75D7724.[[email protected]].ncov
Filesize256KB
MD5ec87a838931d4d5d2e94a04644788a55
SHA12e000fa7e85759c7f4c254d4d9c33ef481e459a7
SHA2568a39d2abd3999ab73c34db2476849cddf303ce389b35826850f9a700589b4a90
SHA5129dd0c30167fbeaf68dfbbad8e1af552a7a1fcae120b6e04f1b41fa76c76d5a78922ff828f5cffd8c02965cde57d63dcbfb4c479b3cb49c9d8107a7d5244e9d03