Resubmissions
29-04-2024 07:46
240429-jlyaxsdf97 1028-04-2024 13:27
240428-qp2wvagg39 1028-04-2024 13:08
240428-qdnj3sge28 1028-04-2024 12:57
240428-p7ch8sgc77 1028-04-2024 12:50
240428-p25ylagf2v 1028-04-2024 12:29
240428-pnvwgagb8t 10Analysis
-
max time kernel
79s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
28-04-2024 13:27
General
-
Target
CoronaVirus.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 5 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5fe9758,0x7fef5fe9768,0x7fef5fe97782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1580 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c1⤵
-
C:\Windows\System32\BitLockerWizardElev.exe"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-74772EC7.[[email protected]].ncovFilesize
6.3MB
MD59694d7c2f6e689a70d577155ac2a7811
SHA128aee41dd904a8d58cf4282e4f20311c50c6acb0
SHA2565e562e4d10480cf3e53661bc199fd25b5cc9585e43efcd862fa63a504e8da5fc
SHA512cee285d2318fb84724ce27c3a5d672da87aa4d627fc9690feb1476eb0fc7b993a8e2f690dcf239a42e05687eaf589dd1dc4798eef025b7e73f4493fbbeeda79f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmpFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD55ade7323af0468b467e6830c2001a677
SHA19f7e95e9aeee199dbf406b0daca9e07388833b59
SHA256407081d9110b56a8fc98005dee87d4afda1876588b69455bceaa568710599fab
SHA51273aaa321b950126a5bb1c34a5f980e77b80cfbf884dd71dacecd004f32122e10abc595e2311541a6518d580c24c374fe5ac4b10e92411db9802a2b7e6544e289
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
142KB
MD551abd2da29d7d45b8c4be6366b22e434
SHA1ffba5fa2ce0630b6f76a874a0a923bd255dd301f
SHA2565f4e7384db2008ec8a47651a5ada497e012d5f965a094276a0595b6ff2792b9a
SHA512f595e2191e7389b53344b0d3a6a80876b26ef234c9ae9f4c79d6589dab9cb6802378d48f735c5b64a43ff29921834e0dda80d787c07c00de64b614430d896107
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
166KB
MD555ee9ff139dadc1a03c56867cdb2ccf1
SHA1a6a7a0179180d8e11ae4b8fbe70a0d5abb95e537
SHA256d5577aa211330045657cc60121d0dff972ea913d6c20587e2fce00a62322c7a8
SHA51290b15c0190cb295cb5aaebeefbc99103505405e633f1f090a4792a9a9f4ddde3901063748d0f4281f4670873c4458b7f5895b79b44e7792f2d9a44e71f1dae44
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
140KB
MD587c9d3fff4d47366d5ba73259e9e8a00
SHA189a9a646f3391a87a7935a710e9b62337d70ec20
SHA2566a80c292fabc3e299cab9185990271d777dc65e09bfb4a1cec55dbb50604e753
SHA512d9fa3740ccc7095225b5566ab82de26d3cbba7ac6c14faaae5672f90ae8e90b1e2056fe218cd0daca4b32379c82553c7320d3267490ac0dc2b1fbfe629177ef8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\da7f58bf-3d72-4d5b-8089-a391517773a8.tmpFilesize
189KB
MD5b437678fa318d779c7d67e22438009b8
SHA14ff76d4ca0e77a2149ce972072dc28c579420bd5
SHA256e4102038c202910069f095acfd7dcddbf0c64a6f01ccf402fc6767a2d5199692
SHA512844d47224627f5f139fa2107f142569c8493947c86db46498f3e336a583a7dcae4268a1fe15927a2296efb4466991d2d80e49a1ff50dfc050932d4da4026c746
-
\??\pipe\crashpad_2696_KPJBRZKIAXEEFWSGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dllFilesize
194.7MB
MD58a71055d24733ac3722ebabe4c6405bd
SHA1c011c83344f34a37997500b9aaa1387cdde39e3b
SHA2564a2635e9bbc85ddc6bfb45273b5b570cdd94e86dfd10713c9c6e07f2d3953b6b
SHA51274cb7a507efedf55bdf49a24f47fa338b57cd08580ca6111f87268f1ca37b1a25a11ac1481e1a4d0c976c6f29ba07d7a7b2bc005db04f9b7590490e370c540f8
-
\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dllFilesize
2.5MB
MD5bcd202723504b7c09a1c9333c957971d
SHA1536d1210f4519ca2a759f9b69cb70224108c0981
SHA256020a6ab995558144f8d2b92037d95477972f821effe8797d16d5752ccd5470f4
SHA51233cb3ac137b91d78efb3b8ca1af568c24c106f8be4366919a11ed7feecb7b066cba6ed16251fa13a85b0547de9924580793f81e1390bd23add808b5c01c7b524
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.8MB
MD5095092f4e746810c5829038d48afd55a
SHA1246eb3d41194dddc826049bbafeb6fc522ec044a
SHA2562f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA5127f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400
-
memory/1760-55-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1760-0-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1760-2586-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1760-11652-0x000000000ACA0000-0x000000000ACD4000-memory.dmpFilesize
208KB
-
memory/1760-53-0x000000000ACA0000-0x000000000ACD4000-memory.dmpFilesize
208KB
-
memory/2296-20494-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB
-
memory/4372-20376-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB
-
memory/5108-5027-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-13554-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-11654-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-11653-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-10163-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-8230-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12352-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12353-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12798-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12836-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12835-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12834-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-12833-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-13108-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-13107-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-10162-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-13555-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-16954-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-17865-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-17753-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-8219-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-20356-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-20355-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-20357-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-20358-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-6634-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-6633-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-5028-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-2671-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/5108-2675-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB