Analysis
-
max time kernel
88s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 00:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
CoverNetSetup.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
CoverNetSetup.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
CoverNetSetup.exe
-
Size
20.1MB
-
MD5
8ab580be0e19ff66961756f3047baf66
-
SHA1
d17fca1e450600b306432b9b3a35e1edafe8312e
-
SHA256
3caef983c8e1331220e2495323bb5efae4972a0e46cd6c418a9e27eb84c3de70
-
SHA512
b51c5a50a570bf3cc16f20adf745e3a04be150328ca147e4ac2991e9185d24ae8cb5cccfda96b9951820f669c96419b25f0f6cb0704d41096668ab858e36d1f8
-
SSDEEP
393216:Pf2GaIDXJOS7FG2GPvvlsoW/Zq//K32Q3qzQ3JtAC2SDnvXQGclKW:n2I5L7FtZqa37azQbACpnvgG/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation CoverNetSetup.exe -
Executes dropped EXE 1 IoCs
pid Process 4532 CoverNet.exe -
Loads dropped DLL 8 IoCs
pid Process 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 4532 CoverNet.exe 4532 CoverNet.exe 4532 CoverNet.exe 4532 CoverNet.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\CoverNet\CoverNet\WindowsFormsIntegration.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.ComponentModel.EventBasedAsync.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Diagnostics.Contracts.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Threading.Tasks.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libtasn1-6.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\WpfAnimatedGif.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Diagnostics.Debug.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Text.Encoding.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Text.Encoding.Extensions.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Reflection.Emit.Lightweight.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Drivers\64\tapinstall.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\zlib1.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\DotRas.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Runtime.Serialization.Json.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Threading.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Hardcodet.Wpf.TaskbarNotification.pdb msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\WpfAnimatedGif.xml msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Data.DataSetExtensions.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libxml2-2.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\openvpnserv.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\openssl.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Microsoft.CSharp.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Reflection.Primitives.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Net.Requests.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Xml.XmlSerializer.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\libcrypto-1_1-x64.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Drivers\32\tap0901.cat msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Drivers\32\tap0901.sys msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Drivers\32\tapinstall.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libnettle-6.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Runtime.Remoting.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\CoverNet.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Runtime.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Numerics.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\CoverNet.vshost.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Windows.Forms.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Runtime.InteropServices.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\libcrypto-1_1.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\Profile\Profile.ovpn msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Net.Http.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Dynamic.Runtime.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\tapctl.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\CoverUpdater.exe msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Reflection.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Net.WebHeaderCollection.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libgcc_s_sjlj-1.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libwinpthread-1.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Diagnostics.Tools.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Xml.ReaderWriter.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenVPN\libssl-1_1-x64.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\WpfAnimatedGif.pdb msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Linq.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.ServiceModel.Primitives.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\vpnc-script.js msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Hardcodet.Wpf.TaskbarNotification.xml msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Newtonsoft.Json.xml msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Diagnostics.Tracing.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Net.Primitives.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.IO.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\CoverNet.pdb msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\mscorlib.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\System.Collections.Concurrent.dll msiexec.exe File created C:\Program Files (x86)\CoverNet\CoverNet\Assets\Services\OpenConnect\libgnutls-30.dll msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e578443.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8F42.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI90C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI958D.tmp msiexec.exe File created C:\Windows\Installer\{217082BC-6E9E-4156-BA1A-B63795F89200}\logo.exe msiexec.exe File created C:\Windows\Installer\e578447.msi msiexec.exe File created C:\Windows\Installer\e578443.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI87CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D5C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{217082BC-6E9E-4156-BA1A-B63795F89200} msiexec.exe File opened for modification C:\Windows\Installer\{217082BC-6E9E-4156-BA1A-B63795F89200}\logo.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\PackageName = "CoverNet.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings CoverNetSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CB280712E9E66514ABA16B73598F2900 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\ProductName = "CoverNet" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\PackageCode = "0F73616527BBD6349B0CD8CB69EC70B7" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CB280712E9E66514ABA16B73598F2900\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\08E3B0BC5D09D10498C6A40AA9499796 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\Net\1 = "C:\\Users\\Admin\\Documents\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\ProductIcon = "C:\\Windows\\Installer\\{217082BC-6E9E-4156-BA1A-B63795F89200}\\logo.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\08E3B0BC5D09D10498C6A40AA9499796\CB280712E9E66514ABA16B73598F2900 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CB280712E9E66514ABA16B73598F2900\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Documents\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 220 msiexec.exe 220 msiexec.exe 5036 msedge.exe 5036 msedge.exe 4856 msedge.exe 4856 msedge.exe 2512 identity_helper.exe 2512 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3532 msiexec.exe Token: SeIncreaseQuotaPrivilege 3532 msiexec.exe Token: SeSecurityPrivilege 220 msiexec.exe Token: SeCreateTokenPrivilege 3532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3532 msiexec.exe Token: SeLockMemoryPrivilege 3532 msiexec.exe Token: SeIncreaseQuotaPrivilege 3532 msiexec.exe Token: SeMachineAccountPrivilege 3532 msiexec.exe Token: SeTcbPrivilege 3532 msiexec.exe Token: SeSecurityPrivilege 3532 msiexec.exe Token: SeTakeOwnershipPrivilege 3532 msiexec.exe Token: SeLoadDriverPrivilege 3532 msiexec.exe Token: SeSystemProfilePrivilege 3532 msiexec.exe Token: SeSystemtimePrivilege 3532 msiexec.exe Token: SeProfSingleProcessPrivilege 3532 msiexec.exe Token: SeIncBasePriorityPrivilege 3532 msiexec.exe Token: SeCreatePagefilePrivilege 3532 msiexec.exe Token: SeCreatePermanentPrivilege 3532 msiexec.exe Token: SeBackupPrivilege 3532 msiexec.exe Token: SeRestorePrivilege 3532 msiexec.exe Token: SeShutdownPrivilege 3532 msiexec.exe Token: SeDebugPrivilege 3532 msiexec.exe Token: SeAuditPrivilege 3532 msiexec.exe Token: SeSystemEnvironmentPrivilege 3532 msiexec.exe Token: SeChangeNotifyPrivilege 3532 msiexec.exe Token: SeRemoteShutdownPrivilege 3532 msiexec.exe Token: SeUndockPrivilege 3532 msiexec.exe Token: SeSyncAgentPrivilege 3532 msiexec.exe Token: SeEnableDelegationPrivilege 3532 msiexec.exe Token: SeManageVolumePrivilege 3532 msiexec.exe Token: SeImpersonatePrivilege 3532 msiexec.exe Token: SeCreateGlobalPrivilege 3532 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 464 wrote to memory of 3532 464 CoverNetSetup.exe 86 PID 464 wrote to memory of 3532 464 CoverNetSetup.exe 86 PID 220 wrote to memory of 1000 220 msiexec.exe 91 PID 220 wrote to memory of 1000 220 msiexec.exe 91 PID 220 wrote to memory of 1000 220 msiexec.exe 91 PID 464 wrote to memory of 4532 464 CoverNetSetup.exe 99 PID 464 wrote to memory of 4532 464 CoverNetSetup.exe 99 PID 464 wrote to memory of 4532 464 CoverNetSetup.exe 99 PID 4532 wrote to memory of 4856 4532 CoverNet.exe 100 PID 4532 wrote to memory of 4856 4532 CoverNet.exe 100 PID 4856 wrote to memory of 1724 4856 msedge.exe 101 PID 4856 wrote to memory of 1724 4856 msedge.exe 101 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5100 4856 msedge.exe 102 PID 4856 wrote to memory of 5036 4856 msedge.exe 103 PID 4856 wrote to memory of 5036 4856 msedge.exe 103 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104 PID 4856 wrote to memory of 3788 4856 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoverNetSetup.exe"C:\Users\Admin\AppData\Local\Temp\CoverNetSetup.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\CoverNet.msi" /q2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Program Files (x86)\CoverNet\CoverNet\CoverNet.exe"C:\Program Files (x86)\CoverNet\CoverNet\CoverNet.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cover5.site/buy_vpn.php3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa73d746f8,0x7ffa73d74708,0x7ffa73d747184⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:84⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵PID:832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:84⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:14⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:14⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1984649491091820714,11244956481029044417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:14⤵PID:832
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7E67C1607D94904FBFC306BCD2A2A8EB2⤵
- Loads dropped DLL
PID:1000
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD50b320ee534392e8ec49486828ffeba0d
SHA1f5aa261a7b067d61a823ab571bcc22f74f8e016a
SHA2565ed566bc6e808bfeae11966d996ea27a70db75111ac053c59ea73c64ebe44560
SHA51260cc7c8f41511b8d3a67c01e027d7e2002c76992b616352b046b476d2dc5a80169a036e4d0b64d840f2baea0d842e0d12775acb3530387f88d386c22f061700f
-
Filesize
6.8MB
MD55fa700a5be957aa978280927bdbf3ac3
SHA14249dfffacc9b507d5f453d46dc7c2268fa50674
SHA256b411727e871f962945ec6094546bc3e629e9a5836abd7b4d51263843f1b5fa29
SHA51262629de570ddeac354514737ca7253da9ca0b8d8eb7b0bc2060542c549aa94e56e042a125dfe01de78b05629e0481ff48950bb1e9954952def3d9bf408216007
-
Filesize
542B
MD55610a8e18a32db4ce8edf5319c19e0a0
SHA11314cfc5519f475559b9980fbb2fa3376707ce2b
SHA256eb64eafb2d420d0ce49baadcdc94f0306dd8999709a2c787a93c3a12ffab0fd0
SHA5123427a6e4e3c8178a101d08e02fa2919c39c415a57041c8ff68b9fde201a9a0a09b43134832adeca356a2b74bc29b3078a49461119ded423b74e29da72949f1cd
-
Filesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
Filesize
41KB
MD5f591261c6d85601764b3b8aea8df8b2e
SHA11b16ea63fcb9b60e41f871f428880059c40ded0c
SHA2564498d8d1a0549717852507993b7c0350d1da408d22943ed8244d16441abfaf99
SHA51205dafbb83d136cd75588f0883497864e942770258461998ab654aa07a1087df590446c28029b6c2fabe27520d47f88eff63ddf80448beaf96887ec5f801544aa
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD573bfc9b475ed334465cd645949d3a861
SHA11c26b63a8c077e18ac4f5abc77b6ce673917aba2
SHA256e2e78d17d795ce2f4da18d2d616fde5dc3ed665bf4b8bbcff4781d8723f84351
SHA51262001c681201ded9a49091bec265c9d808dc727fdbc030496d130aeda5af58e31a1067ed404e038ec53f2f1754c4ac2b136ee4c450b9fbd647c24d98fc5c43de
-
Filesize
5KB
MD55a7d8de5fb599fe1409edc5d4fadb91a
SHA10df9776a168158c2858821345112b018ac730ab6
SHA25619f8673ce4c852fc78927615b8360f37d2c026ef9d40724629971d88202b05dc
SHA5127413d0e82ab89e98c01580e9089bd94480605df0d46ce6e7b5c7d58b2644228d510458f47679dbff0db6fce946dc2e42df946cf11e7ea4d36e4e29314e775051
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b6b6420b5132c5b9a965aa039be5425d
SHA19ca8920f9918f9150bf435c144e8970b11d879c0
SHA256b70b7af16342d29a3fc402adc2554bf8be091e09b6537d899450da48ee02c3e3
SHA512a6dfb8078d97195a64daca9eadf5044cde210146f246fdb9051278abd4b809915ec537dd2dfab71a8e3f74d95b2d57fdcfeedc909dda0b1bff10f983ac41b815
-
Filesize
19.1MB
MD5091bbb24e566683403474a6fcaeacb11
SHA1b53929b32fc44bad6968c85b01a7b561fc5f2f28
SHA256f9c8a1cf86202a26ab03ea506f9fbb9e7b4a9ca9818093f1cb36fe451aaa61c9
SHA5125ed94cf047dda651b33d619116607a58cac2c2c55e2de6b2a3f4691a21694565ca82053fcc089ea743d3299bb96e67842aa561905adf19694501a75a11f47f5b
-
Filesize
1KB
MD50d4bf2056c11c7b5b324b6766d4313b9
SHA1fd144f9f5c1d8586ca1b2e3f5e469c58b9472993
SHA2565b71b058af1f7c86900d366ff7caa692f0de828cb8ab8be7b0c36cf4ebadfc35
SHA5120e1c04ab20b3b636b4cca2f6447476a8536af405b2e0f642ace3cf487018ccf3959e4f4a2820cac4f506ac040b5459f21d32499bdc20f49597dfa410de9ccc9b
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695