dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus[.]exe

Analysis

max time kernel
107s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 21:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 1 IoCs

Processes:

CoronaVirus.exe

pid process

5632 CoronaVirus.exe
Loads dropped DLL 1 IoCs

Processes:

msedge.exe

pid process

12332 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5632	CoronaVirus.exe

pid	process
12332	msedge.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

84 raw.githubusercontent.com
86 raw.githubusercontent.com
87 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
84	raw.githubusercontent.com
86	raw.githubusercontent.com
87	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-300.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ga.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XmlDocument.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\UIAutomationProvider.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Primitives.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_el.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_es.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-125_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\plugin.jar.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\lcms.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@2x.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationUI.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationTypes.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_en-GB.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

26048 vssadmin.exe
15120 vssadmin.exe

pid	process
26048	vssadmin.exe
15120	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 502462.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 502462.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeCoronaVirus.exe

pid	process
3932	msedge.exe
3932	msedge.exe
1576	msedge.exe
1576	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
5356	msedge.exe
5356	msedge.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe
5632	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1576 msedge.exe
1576 msedge.exe
1576 msedge.exe
1576 msedge.exe
1576 msedge.exe
1576 msedge.exe
1576 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 14944 vssvc.exe
Token: SeRestorePrivilege 14944 vssvc.exe
Token: SeAuditPrivilege 14944 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	14944	vssvc.exe
Token: SeRestorePrivilege	14944	vssvc.exe
Token: SeAuditPrivilege	14944	vssvc.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe

pid	process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

19544 LogonUI.exe

pid	process
19544	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1576 wrote to memory of 2236	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 2236	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 1116	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 3932	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 3932	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe
PID 1576 wrote to memory of 384	1576	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1af46f8,0x7ffee1af4708,0x7ffee1af4718
2⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
2⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
2⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5356

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:6104

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:5928

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:26048

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:14500

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:14820

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:15120

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:14976

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:15020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:25364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:25372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
2⤵
- Loads dropped DLL
PID:12332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
2⤵
PID:12316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:14948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14944

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c7dd014207164ab2a7d6400acfd4973b /t 15000 /p 14976
1⤵
PID:17768

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\735f50ff841749b3a18c8d22f5ee7adc /t 15028 /p 15020
1⤵
PID:18536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa391a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:19544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-7FE5DFD1.[coronavirus@qq.com].ncov
Filesize
256KB

MD5
ec87a838931d4d5d2e94a04644788a55

SHA1
2e000fa7e85759c7f4c254d4d9c33ef481e459a7

SHA256
8a39d2abd3999ab73c34db2476849cddf303ce389b35826850f9a700589b4a90

SHA512
9dd0c30167fbeaf68dfbbad8e1af552a7a1fcae120b6e04f1b41fa76c76d5a78922ff828f5cffd8c02965cde57d63dcbfb4c479b3cb49c9d8107a7d5244e9d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
362ffb214354cf47f8e63b7732234365

SHA1
88c28a9921e38579c09b9938a880ce9dd00a8487

SHA256
9486bceb26df8f866279668ed5623a6a51459ee0acc42d63ad524b160ba4a82a

SHA512
544c13869bbd675d1ae273b011198c7d11cbe165a61919bdd2fdeb55efb6e23cfee3f9ec34d6631718d5c267d64b32ee635ffaec7ccceca8b42fe634b3cb7241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b9aa7fdbfc1748c119faa8b2bbe818f3

SHA1
aa237af1b5e0495f377f3061cd17c82e33d021d1

SHA256
5bc54b1918740c27ec8824ff185625401e215da15b63998afc9d9929d97cb44c

SHA512
4c784865d9c46128560ee5aad9670454b5896feaf890af590c7d94852cc7809bd5b95309aa48b15cdf5581a25b62ffab7fe4849b961b39d3210f720bab3937ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
43e5b61772a4e21d721ab7450cac162e

SHA1
95b94af1c0428136191c0a50f4553a43ebff9c5c

SHA256
7e09147ac2b571329311826a6942bef640c0f672ba4214420cb2459ae72cf9b7

SHA512
9a306bead02d34a06435126869913b68d1f1f6dfbb814f52eac921aea1277b1c0d0e13b7a6f4a729dac97b6683580cf2f343e95b3aa9a2788e0f1327b13ed91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7ea18017fdba4ee986193fed56849416

SHA1
2ceaf4b042f03342c23ef3478ef6aac9174b0963

SHA256
39ede90e1c1342915fe54a54d3ca9ee476d2daa6aca1e8dd2e1736059a2ea5b6

SHA512
8162b0ac661e3dec4cc41bc506fbbbef75cfe3f9616b31e24404daafef289ae02b068385b3df1265686857a5ceab4da2fbbae51cfc1d64187353e4c58fb7558f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7936f71c06346b0f1164913173e2b7a1

SHA1
0b90a176c0ecebcaba48285cdb80786cde07b12c

SHA256
7c46ec984defd14026939b72a15e96af42a36e28e918dbb18c58f865e7cbac3f

SHA512
addb0660f121737c6e2203ad4b9f7920a583e4b637dfaf4ad5bfd35b48227d1ae1d12e8bbb616d23be14a66015b353658f6e8d8a03351c69ce25948a7b13bac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e143c01849e3ec2f1f8a1f33cd550c1c

SHA1
9625f1a3c7e9ba2c5459bd866725683075c75841

SHA256
39de1fa95c37ef41ebfacc995704a08cb7a4affef7ac0289364d1d7e5b9d9b75

SHA512
46dc489445bcbccec55b6793874b4fddd9ca95283269b2559c65570f9bed4d67fc1dab887f7c8b1fa0b968e7911962f2f68665d708bbcf8465f687d753327506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1c7412a44eeb9ae6a1958224a650ab19

SHA1
f75d46ec6c2d855999fcb571acceb54804b7d4be

SHA256
927b0e7318347c0693c610e0119778ba8cd10916fc50d79978e087c9d4374a69

SHA512
e58989f34ff7c12176a2ccdfb17c15770ba94d81dd747cc4416974092d1eb0ddf530435c931bcda21d24dba8161879de15b8875078456d43c0274573449a4ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579385.TMP
Filesize
874B

MD5
0a772bff6fa2ad17ede5ddc2de07ca86

SHA1
fd01e1df3563c464db010fa5c92eb38cb2a60132

SHA256
83d86e9d187920336c9a623fd33a699a4d5e6da5a6f36b9be006825b6379a099

SHA512
0835b01abc5b07a353bd9c2041fb01b08b1f82a8026f90647bf988f81b6049201f9182cc02a4b0d5dab6d71246250c87364e8d84adf6e980fd8e97003f2df435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
27bc05b82dc56448694367002429ca69

SHA1
8a503e7ac94c23286e68acfd233b28721bd53add

SHA256
026a5342432820ee107a1752380c69ea4b35aa2898c394d6be66867fb935aae1

SHA512
6fb27fd5fd03c0e2a8ff498fc8214f00a76dae0dec4a7b2cacb7aea43694732c1251a602403eccaf89eefb22bc826ae6de0193e07f63482965d0621feffa718b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
98200b63de6b8fae9b4d48d006b2464e

SHA1
c837532afe22825c41055031744c4c6ddae0beef

SHA256
b17c18e44c220c097384b832baa461992ad9cab4e972fcecc38dc5656e1a3fdc

SHA512
fe82224b77735dbf7f7134f9dec22001c881896bf366d6f4dd0e84357f657ffb1685b33c34a2de2acbd14ef5602b07647b0e1c55bb0c9f8756de8bedabd04a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
39db3d241f16302bf79aa19f4d7bb736

SHA1
d191fd0ac1f0837a257287403603f51149b7a93d

SHA256
ee082e561cb9aeabe3d09cd6be140c5ca736066b907eccc0173e2c5273192ac6

SHA512
38a5aa749294722dce881295942654bbf1755d60c3a1c873d73b3a9be7b14dadbbd654d3b2c170406a60a5cce17199fcf7e9065ec45f2f27fb181987eb6124ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 502462.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\LOCAL\crashpad_1576_HNFJFLFSFPJACPKQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5632-215-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5632-214-0x000000000ADB0000-0x000000000ADE4000-memory.dmp

Filesize
208KB

Download
memory/5632-186-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5632-24228-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5632-24247-0x000000000ADB0000-0x000000000ADE4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads