Overview

overview

10

Static

static

3

CoronaVirus.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/05/2024, 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CoronaVirus.exe

  • Size

    1.0MB

  • MD5

    055d1462f66a350d9886542d4d79bc2b

  • SHA1

    f1086d2f667d807dbb1aa362a7a809ea119f2565

  • SHA256

    dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

  • SHA512

    2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

  • SSDEEP

    24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 2C3F3435 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (437) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3800
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:28180
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:32836
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:32924
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:32940
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:32892
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:32984
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:28212
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:14228
          • C:\Windows\system32\Clipup.exe
            "C:\Windows\system32\Clipup.exe" -p -pfm Microsoft.Messaging_8wekyb3d8bbwe
            1⤵
              PID:33680
              • C:\Windows\system32\Clipup.exe
                "C:\Windows\system32\Clipup.exe" -p -pfm Microsoft.Messaging_8wekyb3d8bbwe -ppl C:\Windows\TEMP\tem5AEC.tmp
                2⤵
                  PID:33752
              • C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe
                "C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe" -ServerName:x27e26f40ye031y48a6yb130yd1f20388991ax.AppX4vyq5e9tkwa75gjkqsjevyh36d6vk0pz.mca
                1⤵
                • Checks processor information in registry
                • Suspicious use of SetWindowsHookEx
                PID:2036

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-2C3F3435.[[email protected]].ncov
                Filesize

                2.7MB

                MD5

                3b10b2d41d5cac665b726573837f6855

                SHA1

                e08ead874a726d5735bcc1ee238319c3f92ed5a3

                SHA256

                e3ac0966d400de11ad9445db02e0ccc3bb61a32ca49d70ad2511460690cf6406

                SHA512

                3ffa6be70b3e7837b163a2e2613d6b1896536cc3b55922cea744b6eb237fe4904e199f8952d9bf4383e91695f51590e31776ffbb0c041a9d811776ec7ced7821

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\PrivateTransportDataRemovalFailureCount.setting
                Filesize

                1B

                MD5

                c4ca4238a0b923820dcc509a6f75849b

                SHA1

                356a192b7913b04c54574d18c28d46e6395428ab

                SHA256

                6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                SHA512

                4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalState\SRPData.xml
                Filesize

                397B

                MD5

                b0dbe6873f7d65b0a6dc799bf0cc1bd3

                SHA1

                073892b16db255cd9fb9f7263bc8b128471e199b

                SHA256

                7f3299cb14a9e5c07cbe3be924b176bcecb6cb597ab4d8ec08c31d693ebda470

                SHA512

                8e8412ed56267f104a55819d2c3bd0d59809d0c2b288b67bf7d7268849d0f2797f01fbdc8bc6008dda943e62db16f8143a9fe8fb54ec82eb36e73725db138e9b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                Filesize

                13KB

                MD5

                0540d06031f0472e7fe98b61b1fe9ade

                SHA1

                3f6e66cdd145df66d82ad47f46008bb3dfaaffa5

                SHA256

                12cb53dd2abad2fca24cfbf6ee218fd14c1242f051b3ebcdfbc5ab82347e5151

                SHA512

                5f1d1abfb05c4763c14372f9d95269573636e97e6912b5b576f306791670f943aadbe858111307c30e992882474cc46e3551c866096c2d902264f71d2ea55189

                Download Submit

              • C:\Windows\TEMP\tem5AEC.tmp
                Filesize

                244B

                MD5

                358a416b5edd4aa7810d0d41542c6581

                SHA1

                7ee71aabf1cbf9be675463cf0fd366781e0d34df

                SHA256

                26ffe00ac8e5d5f9db8564ca143a8f152677c69a55153e796c85ee557ce591b0

                SHA512

                d263608a75edc3a34f450661adcb7aed72fdba8b202c724e0806ac8f382c59b17269f29cfbdbaeddc0477e3eb5819f3c8476b4a74cc10e23342405013c27f6ce

                Download Submit

              • memory/3508-0-0x0000000000400000-0x000000000056F000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3508-22158-0x000000000AD30000-0x000000000AD64000-memory.dmp

                Filesize

                208KB

                Download

              • memory/3508-1-0x000000000AD30000-0x000000000AD64000-memory.dmp

                Filesize

                208KB

                Download

              • memory/3508-6589-0x0000000000400000-0x000000000056F000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3508-3-0x0000000000400000-0x000000000056F000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/33680-22167-0x0000028C2A290000-0x0000028C2A2A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33680-22169-0x0000028C2A290000-0x0000028C2A2A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33680-22168-0x0000028C2A290000-0x0000028C2A2A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33680-22179-0x0000028C2A290000-0x0000028C2A2A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33680-22180-0x0000028C2A290000-0x0000028C2A2A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33752-22173-0x0000017815C70000-0x0000017815C80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33752-22176-0x0000017815C70000-0x0000017815C80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33752-22177-0x0000017815C70000-0x0000017815C80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33752-22172-0x0000017815C70000-0x0000017815C80000-memory.dmp

                Filesize

                64KB

                Download

              • memory/33752-22174-0x0000017815C70000-0x0000017815C80000-memory.dmp

                Filesize

                64KB

                Download