dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Resubmissions

12-05-2024 21:55

240512-1s3bwsbd45 10

12-05-2024 21:52

240512-1rffqsgc4s 9

Analysis

max time kernel
167s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (519) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 3 IoCs

pid	Process
4008	CoronaVirus.exe
4900	CoronaVirus.exe
12984	msedge.exe

Loads dropped DLL 1 IoCs

pid	Process
12984	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\resources.pri.DATA	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileVisio32x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\ui-strings.js.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.CoreProviders.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_th.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lb.pak.DATA.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\Microsoft.PowerShell.PSReadline.Resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_altform-unplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.id-9D9B540C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
17672	vssadmin.exe
9500	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 901246.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
1920	msedge.exe
1920	msedge.exe
3868	identity_helper.exe
3868	identity_helper.exe
2140	msedge.exe
2140	msedge.exe
980	taskmgr.exe
980	taskmgr.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe
4008	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	taskmgr.exe
Token: SeSystemProfilePrivilege	980	taskmgr.exe
Token: SeCreateGlobalPrivilege	980	taskmgr.exe
Token: SeBackupPrivilege	17800	vssvc.exe
Token: SeRestorePrivilege	17800	vssvc.exe
Token: SeAuditPrivilege	17800	vssvc.exe
Token: 33	980	taskmgr.exe
Token: SeIncBasePriorityPrivilege	980	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
980	taskmgr.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4272	1920	msedge.exe	82
PID 1920 wrote to memory of 4272	1920	msedge.exe	82
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4720	1920	msedge.exe	83
PID 1920 wrote to memory of 4284	1920	msedge.exe	84
PID 1920 wrote to memory of 4284	1920	msedge.exe	84
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85
PID 1920 wrote to memory of 4840	1920	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa047246f8,0x7ffa04724708,0x7ffa04724718
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14252048970421732324,16569137895551181121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3892
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:23520
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:17672
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:17876
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:24056
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9500
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:17776
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:17704

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6a34f2d92c184d649f37bb39857d3b2c /t 3900 /p 980
1⤵
PID:20744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:17800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:12504

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f8aaa7be0aba4d59936b3425b3636ef0 /t 17760 /p 17776
1⤵
PID:14036

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7b7b2fca22af4db8ac6769f3bd5c7896 /t 17660 /p 17704
1⤵
PID:16008

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
- Modifies registry class
PID:6804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:12912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-9D9B540C.[[email protected]].ncov

Filesize
2.7MB

MD5
30096328ac16b399af6e25e509d73263

SHA1
1db6e380349ab7439d4f0400d3bfad66c3204b84

SHA256
9882035167f89d3404e958137938db1ee8c177fd2ee09bced1348cf58dc6b07f

SHA512
2d218df8b6722aa992c11ed5634d8a385b8577a96f1e04af01dd0d1a5b79df082d8c773f6f6d337eae798721d17bb567c2661cd1c05ad60ca5cfa8d0ebfd4252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
81KB

MD5
21c02afc3645ed8d9a1b13e656f3aa2d

SHA1
720499fb1c219191a9890528bb6a1b4eefa1f873

SHA256
903d9bee1d2afabc2802371e65f778d6536da391257be2a007c1dd9bc1d2636f

SHA512
627b57fcdf47242adbc3fa5787b7f0ba00f212d6c212aeb22f364f8f3a2385ff172138f5e07eefe57fcbbc02dd641ba3d889bc4cb5507f586717900f878571cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
151KB

MD5
992b11ff67a7a85ac361af5fa7b7d128

SHA1
8f6e96ef72e6f8d187555f3336ce2fa74bccd9a7

SHA256
e98f893415bb4a9e2490327239132725245b2388853aa451e61545cd0fcd9c03

SHA512
df8fbd1abaa320a175389cd8a28b69713261eeaf5a3d6a743817923281eb756c2c600c5bfae7c352861ee85894845bd392801bf9356f92283da50a2936163ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
21KB

MD5
12b3b06a215a92b61047d4d676009d5c

SHA1
bfaffa1420406892f96c14563413c12b22d5578d

SHA256
ebddde1fdfe55665db44af96d9a914ea833d5c74b510150b0aafcc6598c8ec72

SHA512
5f597b93c1bd9e9be7d7aa42ec1a69d1183d164096046af276546f907c7796cd5d1ea80d152ac8cab76f1ddf3a6e3d51ed74c6dc97d467a4f5519dbad8d42ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
082ca29f92a9c20658768a7b6030bdcb

SHA1
de6125d0ba4b5d1f164942df22cc46995b73b96c

SHA256
eb6da4adfc6c7e0bced81db5decbb04d54c7a61130603467bf0adb5b7a49c27e

SHA512
b42629692718da88605570b84513f8b9ad81f8b017ccdf9fe339255d852f913f3ddf79f1358dc9efd2ba87028e73bda4866ffff3cbf3d7424f6cb5ecca9be192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bca752026f040cb91973c3e06f9a6bda

SHA1
c993ca9c985aa710480e75a817c25ce8ff8a07c9

SHA256
08eb675d14d253b734a7696a2f76b4d7f3258b5125c3958a99cabf9552b63791

SHA512
ccd5a9c1ff57d92bd5f78457fcb9c9ed22947b48ee5a348e569d8ac4bba2a53c924cd5339edb28b6ce44745c154a3e2d4ad6143efb0540693d4b4339f0fd2802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d67cd8a33691b438c4b6f15a081e4341

SHA1
2423d73221ca296727b9bc9ce82de9d7fab89b76

SHA256
29f2b46ac18be3f357886d866b51efc8489e02e87bbc8f2117ba2ddefa32f7a3

SHA512
976d6348832023ee60022cf5be099509d4f7b041418b7b3b5669f0f5dd3e3915702ecca72665f670f109e1bc89afa6b9754d30cd081146777647c78b4bd6a97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ddde0764fa96ae2bf62a585ee5ae38e5

SHA1
850800990fa3be68ac4896481314405e439b9456

SHA256
88ecaf5acb34b07e83d3049c07d44f41dd7f38779bce02c73d1f05012add1103

SHA512
677fb0c266a80de6ea334ad0cba0dd95b8285d185d4cdcc8cfd2592d8fe532db9ef700e15471483dea83247024e178b0ce972bbc69c068af3a3890695551a493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc88a6b795b9f8d56fe8cb9b0bc291c3

SHA1
54e3e39215bc76b5aa14b9ae807b84aa335b0d1b

SHA256
fda16d8923e98a3933d2698fae55051b9fa118c54b8b0a82630d6349aa69faa5

SHA512
3f91beea6e0c7cbde5ccb9d8b6840be661fce203866b38cd6fc4980f5ae36e1563c11d5b1c3e940b1cf4941a0694056735cad90f76003734e71673d6c7426ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f18ab29987dea9d5b80455cd3d3191bb

SHA1
3cebcc210d4660b7f1817f7fed02b8da07c1992f

SHA256
a6c4131f685f228e5910061ab4a3e35dc08c774ca81b82df8d22e7e598b097c6

SHA512
f831e29e4b5e985a021cefa51eb340714448f7100694b1d680eb20e8958c4083e59c543431f718d19fd7c9faed325a9a42b2845fbfa214c896a4474f1f93b797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bd93.TMP

Filesize
874B

MD5
6430f47450b6a8eb554a850e73d78101

SHA1
2c917c4429f41a7dfba993ac08164861ecd150e3

SHA256
9f64cc70498809e51bea8d24428c35f4e55b5450a2172c221b969afd80bccb67

SHA512
19e46f143d0b697450e8a342ef562faa9e8e8a2aa92ad700fd1e411caada0ee772e95b94d007acf58a1283dc61d99f49dc3fc01819e043f7146b9110cedd1aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0eb15c3ad409eee53e688e7f14d24c01

SHA1
74ace87c02e9faf21318ff2f4b4e32da55872b3b

SHA256
a23ef17e7c7bc76f19a4cd866527a08ea0912adceddfafe2abd514c5557e91df

SHA512
035333fa2fd860920b5043255bcc6f332fb47391e6fc58ec3475811a6a3401b4a023a8aa764e93f9f75d93798f8b837bc9e3010ce9e7760bb97bb871a7902952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de0587b21b54c60b3d559874062a5c41

SHA1
36941f3a5b4d8bdd5bce885a4a95ceb5e18ca5fd

SHA256
d4a3bb61da1a227f1e81aae93483439d0f94c1448b7c3a2aae12570930e674c9

SHA512
5294293a9a4ed4118d3cae2c349922bee8375d2852af67915636d0a582bca89b42d13ac84f03fe90923fc24a10ab8bbec5fa1cb5898af388680d118f943ac275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21050833c2b4414e1747ec53966e8acb

SHA1
b6bcc352c657fc85fc36c12ff1d6959420864019

SHA256
b97fd3bec6b916a88ba27a94b414608549e20c73b7fad744ed6bf54a9e4f9f34

SHA512
cd40e3cc21e4b1b95ca71ec12626901572836886504ccca97542ec3413580528d188c12b8d418f2cef03ff292b0e23dc9bb4da76bb612d62529548f91abd9e73

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 901246.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/980-25110-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25256-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25252-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25253-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25254-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25255-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25109-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25108-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25251-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/980-25257-0x000002012D550000-0x000002012D551000-memory.dmp

Filesize
4KB

Download
memory/4008-23316-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4008-250-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4008-238-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-9907-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-249-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-8591-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download