Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 15:31
Behavioral task
behavioral1
Sample
Covid-666.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Covid-666.exe
Resource
win10v2004-20240426-en
General
-
Target
Covid-666.exe
-
Size
687KB
-
MD5
0c303ae1347c0395a96f3eb38d26d7ed
-
SHA1
c8cf473a22fc86ddad00ec286e94422f4b7d5c59
-
SHA256
1eefaeb98524277d1aeb459b6e4a31472ce2f4ff15f8f45b051e1c8a021c8fa7
-
SHA512
57e9ca4e5339164a6c3e5f53b8f30410d86139355390e17a2926d5b2263a511f0d47b26f70e95a5cf8daf4c365fec7f057614636e6f092d8320fcdda8debea93
-
SSDEEP
12288:U7M23cFQpIn5tghlAjyCey1vLd31utolsqHzc30qOocuXi7oS:Ug2sq2nohlAtrvLjutQtI3bOoli
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 2240 mbr.exe 2632 MainWindow.exe -
Loads dropped DLL 4 IoCs
pid Process 848 cmd.exe 848 cmd.exe 848 cmd.exe 848 cmd.exe -
resource yara_rule behavioral1/memory/2920-0-0x0000000000400000-0x000000000064F000-memory.dmp upx behavioral1/memory/2920-39-0x0000000000400000-0x000000000064F000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 6 IoCs
pid Process 2856 reg.exe 2600 reg.exe 2592 reg.exe 2676 reg.exe 2736 reg.exe 2864 reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2524 shutdown.exe Token: SeRemoteShutdownPrivilege 2524 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2632 MainWindow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 848 2920 Covid-666.exe 28 PID 2920 wrote to memory of 848 2920 Covid-666.exe 28 PID 2920 wrote to memory of 848 2920 Covid-666.exe 28 PID 2920 wrote to memory of 848 2920 Covid-666.exe 28 PID 848 wrote to memory of 2736 848 cmd.exe 30 PID 848 wrote to memory of 2736 848 cmd.exe 30 PID 848 wrote to memory of 2736 848 cmd.exe 30 PID 848 wrote to memory of 2736 848 cmd.exe 30 PID 848 wrote to memory of 2864 848 cmd.exe 31 PID 848 wrote to memory of 2864 848 cmd.exe 31 PID 848 wrote to memory of 2864 848 cmd.exe 31 PID 848 wrote to memory of 2864 848 cmd.exe 31 PID 848 wrote to memory of 2856 848 cmd.exe 32 PID 848 wrote to memory of 2856 848 cmd.exe 32 PID 848 wrote to memory of 2856 848 cmd.exe 32 PID 848 wrote to memory of 2856 848 cmd.exe 32 PID 848 wrote to memory of 2600 848 cmd.exe 33 PID 848 wrote to memory of 2600 848 cmd.exe 33 PID 848 wrote to memory of 2600 848 cmd.exe 33 PID 848 wrote to memory of 2600 848 cmd.exe 33 PID 848 wrote to memory of 2592 848 cmd.exe 34 PID 848 wrote to memory of 2592 848 cmd.exe 34 PID 848 wrote to memory of 2592 848 cmd.exe 34 PID 848 wrote to memory of 2592 848 cmd.exe 34 PID 848 wrote to memory of 2240 848 cmd.exe 35 PID 848 wrote to memory of 2240 848 cmd.exe 35 PID 848 wrote to memory of 2240 848 cmd.exe 35 PID 848 wrote to memory of 2240 848 cmd.exe 35 PID 848 wrote to memory of 2700 848 cmd.exe 36 PID 848 wrote to memory of 2700 848 cmd.exe 36 PID 848 wrote to memory of 2700 848 cmd.exe 36 PID 848 wrote to memory of 2700 848 cmd.exe 36 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2236 848 cmd.exe 37 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2496 848 cmd.exe 38 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2492 848 cmd.exe 39 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2980 848 cmd.exe 40 PID 848 wrote to memory of 2676 848 cmd.exe 41 PID 848 wrote to memory of 2676 848 cmd.exe 41 PID 848 wrote to memory of 2676 848 cmd.exe 41 PID 848 wrote to memory of 2676 848 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Covid-666.exe"C:\Users\Admin\AppData\Local\Temp\Covid-666.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2E80.tmp\Covid666.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2736
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2864
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2856
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2600
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\2E80.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2240
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f3⤵
- Sets desktop wallpaper using registry
PID:2700
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2236
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2496
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2492
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2980
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\2E80.tmp\MainWindow.exeMainWindow.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 240 /c "You have only 4 minutes to complete the payment or all your data is lost forever"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f3⤵
- Sets desktop wallpaper using registry
PID:2540
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2588
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2936
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2748
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2136
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2244
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2388
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:468
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1800
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2004
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55e19b2eeb24514e87aa6039bd012fa6e
SHA14f8ad456f7050a8fa572043dc42a0ae5bd0dc6a5
SHA2560cabbe47e3a8799502084b4c691634d16dc3bf317fc17d9d898ed336a476c778
SHA5128c9faabd001af53f081c2fe38bd3c930de8c4aa1813afb66b106ffbdd796040b1dcc11ddccf965edf100283f38e587d4d937cbb4455379317ce5a5b59b7c8cc8
-
Filesize
1.3MB
MD52b1aa2297f9f2d08bc1447213ef869a9
SHA1198802a4d09f9b4f7d2514575c3b9d35afca6833
SHA256c9c6b0edd58fc2e85c44774c457a6c03c05253e1dbca91645b2c4ba1449e0f11
SHA5127affd52dc3287d33c8587f63764593496d179d5595a55ba96a4d8ded8b2730465f0447d9ca7e07cb62c48f4097a1fbb554a90d0566b0b7e6227cc535ad467b13
-
Filesize
806KB
MD54a43a8b397043b6eb9c5359cf45da6f8
SHA1d672f59eef6ec2d82b925b74608b6ecea8f16db8
SHA2563aabd4300d36cac3e85dee2274351b0e58c2f19b59b607751127f5ae0c2bc8a1
SHA512f77290245703c8790c9e1709f91991437601847d3c4afef34f03032b7d754016f5fc569ff4ce5f6f224a6b60a27d2853519b77170f6f5366221170fb4523f201
-
Filesize
20KB
MD523ab00deb47223ba73b700eb371fb0fe
SHA1ba2e077c3790bdae4083fe9283f38a13efdcc4b1
SHA256d42807867bd69d5db2605e4e6f39e5f70e0cc9db0cac9216fd6a9cd8cc324e0d
SHA512d37252a1620f532230160f16c5d87fc79928842c0af41805c1fed1115ef0cfca6767d48c5d9ce6c6a4b042cd152cd1a2f9b49ad9380b08980680b26c5a4805c5